Saturday, December 22, 2012

Passing the SANS SEC504: Hacker Techniques, Exploits & Incident Handling Exam

I recently attended a SANS class a few months back,  “SEC504: Hacker Techniques, Exploits & Incident Handling”, and I must say, it was awesome. The course goes into detail on the techniques/exploits hackers use in today’s threat landscape and ways for incident handlers prevent, detect and eradicate threats. The cost of the training and the exam was expensive, but it was worth every dollar being able to spend 6 days with like-minded professionals all hacking the day away. Leaving the course I felt a renewed confidence in my skills and learned a few new tools that I wasn’t familiar with before, than I began studying for the exam. 

Let me preface this by saying, exams and certifications don’t make you a better security pro, all they do is show others that you have the knowledge to pass the certification. In many cases this means that people have diluted both the exam and the certification by dumping for the test and just end up collecting credentials without knowledge or experience. This hurts both the people that have worked very hard to pass the exam and the cheater themselves by falsifying their knowledge. Anyway, I digress.

Now having said this I’m not going to give away any questions or topics that are on the exam, that would defeat the purpose of this blog post, but I do want to give a few helpful hints regarding studying for the exam. During our class our instructor gave us a heads up on a few ways to prepare for the test and I have a few that helped me tremendously as well.

First, lets lay down the rules of the exam and what to expect:

·      The exam is completely open book. Yeah, I know easy right. Not. The proctor looked at me weird when I told her it was an open test and made me prove to her that it was. This is your first tip, bring your confirmation proving that it's open book. She than went on to say that open book tests are normally much harder, this time she was right. You’re allowed to bring in arms full of books to the exam that you fell will help you in your attempt. If you’ve taken the course you’ve been given the adequate material to pass the exam and don’t need additional material, unless you want it, but you have what’s needed to assist you with the exam. If you didn’t take the course I would highly recommend reading Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis. Not only is this book awesome and fits right into the course material, but Ed Skoudis founded this course and teaches it. So pick it up if you’re not able to attend the training, it will surely help with the exam and your knowledge in general. There are "right out of the book answers", but material that will jog your memory. If you don't know the course work the books will be useless.

·      For the exam you get 4 hours to complete 150 questions. That might seem like a lot of time, but when you’re flipping through books for a question you’re unsure of the time flies by quickly. You also get a 15-minute break that stops the clock to stretch and clear your mind. I highly suggest you use it when you hit question 75 to give your brain a break. 

·      The course is also multiple choices, but that doesn’t always make it easier, and many times I found it more difficult to pick only one answer.

·      During the test you’ll have the score displayed every 15 questions as a meter of how you’re doing. This can be either very reassuring if you’re doing well, or a way to set you into a panic if you’re not cutting the mustard. The passing grade for the exam is a 72, so knowing where you stand during the exam can be a two edged sword.

Now for the studying tips:

·      If you’ve attended the course or you’re self studying I would highly recommend pouring over the material before taking the exam. Prepare yourself with the materials you have, otherwise you’ll be in for a long test.

·      Tab your books with sticky notes so that you’ll be able to quickly find topics as they come up. This is one of the most important areas of preparation during the exam that I couldn’t emphasis enough. If you’re unable to answer the question without research you need to quickly find where the topic might be in your books. Having sticky notes lined on the side of it is a quick way to do this, especially if you’re using five (or more) books. 

·      Read through all your material and keep notes. You’re also allowed to bring in notes to the exam that you’ve written or printed out. Find areas that you might be weak in that will help jog your memory. I used the course books and kept a spreadsheet of all the tools mentioned, the book they were in the page within that book so I could quickly divert to page in a book if there were specifics about a tool I wanted to verify during the exam.

·      If you’ve taken the course you’ll get a few things on your SANS account that I wasn’t aware of until I logged into the site. Within my account I was given two practice tests that were similar to the experience of the actual test (just with different questions) and mp3’s of the same course by Ed Skoudis. I can’t tell you how valuable those mp3s were and after reading the books again, I listed to the mp3’s by Ed on my way to work, lunch, etc. to prepare for the exam. I read a review about Ed Skoudis’s teaching and it went like this, “Ed is able to harness the English language like a weapon” and I couldn’t agree more. He’s a wonderful teacher and really helped me grasp many topics. Also, if you're not going to use the practice exams you're able to "give them away" to someone else during their studies.

So that being said, please try to take a SANS course if you’re able to, they’re terrific. The SEC504: Hacker Techniques, Exploits & Incident Handling in particular was a great learning experience that will help me professionally for years to come. 

The Computer Incident Response Planning Handbook: Executable Plans for (Google Affiliate Ad) 

Happy Holidays with Gratitude from Breezy Point

I know this blog dedicated to information security, but there are things in life that take precedent before cyber security. Living in New York I saw firsthand the devastation that was left from Hurricane Sandy. This storm might seem like a distant memory for some, especially if you weren't in its path, but the effects are still lingering with many along the coast of New York and New Jersey. This video shows what many are still going through during this Christmas season. Please pray for them and their families. This video is a collage taken from Breezy Point by one of its residents that we volunteered with during this tragedy.

Tuesday, December 11, 2012

The Rise and Rule of Android

I've reviewed mobile security many times on this blog before, but the explosion of the Android OS still amazes me. Take a look at this image regarding the rise and dominance of the Android juggernaut from


Tuesday, December 4, 2012

Enhancing Your Security at the Edge: Part 2 of 2

In our last article we looked at how to harden your perimeter with traditional firewalls and routers. In part 2 we will continue this examination of enhancing security at the edge, but higher up the stack via an application or layer 7 approach. Just as with traditional firewalls and routers, when it comes to the application layer we need to maximize the benefits available to us with solutions, without adding too much complexity to our security operations.

We Bring the Fire BackThe systems in place that can assist with monitoring/securing your systems from application layer  attacks are Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). Here are just a few more “bumps in the road” that I’ve seen when it comes to these devices:
  • Monitoring traffic at the application layer needs much love. You can’t just turn on a system like these and assume that you’ll be catching every bit of malicious traffic that comes past your interface. We’ll dig deeper into this later on, but each one of these systems needs to be tuned in order to work for your organization. Not all filters or signatures are going to be turned on by default and knowing what’s behind these security devices is going to be key (AKA Understand your network).
  • Even with tuning in place you’ll still get false positives, albeit fewer, but false positives nonetheless. Management and others involved need to understand that this isn’t a silver bullet and that when properly tuned will assist with blocking malicious traffic. But the potential for false positives will always be there. What needs to be shown is the risk between having a potential false positive versus a security breach.
  • These devices are always going to be in-line with your network and because of this will also be a concern as single point of failure if not configured properly. Making sure that the systems that are in place to protect your business don’t bring it down should be a priority. Having performance issues due to the signature load it’s scanning for or not having load balancing or clustering on them isn’t an option when they’re in such a delicate part of your network. 
You can read the the rest of the article here:

Saturday, December 1, 2012

Enhancing Your Security at the Edge: Part 1 of 2

I think many of us can agree that the network perimeter as we’ve known it is no longer. In this two-part blog series we won’t spend time on the reasons for this (There are many and you can listen to my podcast on the Disappearing Network Perimeter to hear about these), but we will review a few methods to harden your perimeter from attack and include ways to manage and reduce the complexity of your network in the meantime.

When it comes to your network edge, the first devices to examine are your routers and firewalls. These devices are most commonly found in the network and are also most commonly an area of weakness. Here are just a few “bumps in the road” that I’ve seen when it comes to these devices:
  • Network perimeterI’ve seen many networks that have old versions of software running on their perimeter devices mainly because the network admins are comfortable with the version they’re running, or they don’t want to risk the downtime or issues of upgrading to a more stable and secure version. Outdated software gives attackers an opening to exploit. You could have the best policies in place to filter traffic at the edge, but if your devices aren’t up-to-date with the latest OS, you’re giving the bad guys an easy way in.
  • Not having the appropriate access control on these devices is another common oversight. Who has the ability to make changes to these systems? Should these personnel be able to make them at any time? Even though access control is more of an internal issue, it’s still needed to protect your perimeter from attack.
  • Don’t forget about your firewall rulesets and router ACLs! Firewalls and routers are designed to ALLOW traffic through them. I know we often think of them the other way around, especially with firewalls, but these are in place to forward traffic back into your network. While a big part of their job is to block traffic, they’re ultimately in place to ALLOW traffic into your network. Ultimately, just because a ruleset is locked down to certain ports, doesn’t make your network secure. This is where IPS/NGFW technology comes into place, but we’ll get to that in the next article.
You can read the rest of my article at

Monday, November 5, 2012

My Podcast with (Security Horror Stories)

As we prepared for Halloween last week, I sat down with Alan Shimel ( and Nimmy Reichenberg ( to share some of the scary things we've all seen or heard about in our time in information security. Here's the podcast recording which is also available on Network World at



Contributions Towards nCircle's “Security Tips, Tricks & Bits” eBook

I was recently asked to contribute towards nCircle’s security eBook entitled “Security Tips, Tricks & Bits”.  You can view the entire eBook at the following link as a PDF: eBook.

Also, you can look at the below press release with some of the other folks that contributed towards the eBook here: Other Folks
If you haven’t already taken a look at what nCircle has to offer, I’d take highly recommend you give them a gander. They have a solid offering in the vulnerability management and metric sector.

Friday, November 2, 2012

Hacking in a Hurricane

It occurred to me on Monday night, as I was sitting in the dark unplugged from the Matrix due to Hurricane Sandy, that attackers could take major advantage of weather related situations like hurricanes, earthquakes, etc for their own devious means. No, I'm not talking about Cobra Commander and his Weather Dominator, but it's a close second.

With the majority of NY and NJ without power attackers could have taken this time to launch attacks towards unprepared victims. At a time when companies in this area are most likely failing over their systems to other locations, and IT support is either out of power or are being overwhelmed with other duties, an attack could go unnoticed. Talk about adding insult to injury!!

Security monitoring needs to be considered as a major part of your business continuity program. We need to have people and resources in place to make changes and monitor your environment during and after a major catastrophe. Don't get me wrong, it sucks without power, but we need to make provisions to keep our guard up during these hard times.

We need to start thinking like criminals and understand that they're very opportunistic in nature and if they can make some money quickly, without being seen, they're going to do it. It's similar to criminals launching DDoS attacks as a diversion to even more malevolent activity behind the scenes.

This being said, my heart goes out to all those who were effected by this horrible storm. We need to have our priorities in place and keeping our families, friends and neighbors safe is on the top of the list. There is nothing more important than that, but we should have policy/procedure in place to continue our security posture during and after a catastrophe so we can focus all our energy towards what really matters.

Front Line Sentinel Nominated as Top National Security Resource

I was informed earlier in the week that “Front Line Sentinel” was named a Top National Security Resource on the subject of Cybersecurity by the site You can review the full list here.

It’s with much humility that I join others who have not only been doing this for quite some time, but doing it much better than I ever could.  The goal in starting this blog was always awareness (as well as ranting) on cybersecurity and I’m still slightly amazed when I realize people actually read it.

Thanks again everyone!!

Thursday, October 25, 2012

Barnes and Noble POS Breach: My Interviews with Store Managers

Now before we begin, I'm a big fan of reading and of Barnes and Noble in general so I found this particular breach very interesting. After working with them as a customer a few years back and even being considered for a few security positions in their organization I felt somewhat enamored by them. During these encounters I was always left with a good impression of the people, culture and  business. So knowing this I became very interested in their breach and wanted to find out the most I could about it and how they handled the situation.

Once I heard they were breached I spoke with two store managers regarding the incident and their impression of how it was handled. The first store I visited wasn't part of the breach, but I went there to get a better view on how they were handling the incident in general. Once a POS is breached it's imperative that you not only replace and remediate the systems which were abused, but to also eradicate the possibility of an attacker coming back. This would be part of the containment and eradication phases in the incident handling process. During my visit to the store I talked with the store manager on staff who spoke freely about the incident, or of which she was aware of, without questioning me or why I was there.

From her responses, only the PIN pads were effected and altered by an outside party. To her knowledge this was not an inside job. She also mentioned that they knew about the incident for the past month or so and were working with federal agents to gather more information. The store manager also said that as soon as the breach was found they removed all PIN pads from each of their 700 stores in the same day and are now looking into further details. This to me shows that Barnes and Noble took this breach seriously by moving quickly to erradicate the threat of additional theft, especially with the upcoming holiday season arriving. I went to this store on purpose to see how they were dealing with the incident as a whole, and not as isolated incidents. They passed this test.

After first going to a store that wasn't hit, I than spoke with a store manager via a phone call at a site that was targeted. This store happens to be about 10 miles from the first store I visited and in a much wealthier part of town, which leads me to think that the thieves had a good idea of where they were aiming based off the store locations. This is a theory, but it would make sense if you're trying to make money, hit the place with debit/credit cards that have the most on them; common sense really.

Anyway, when speaking with this store manager he seemed very helpful at first when I asked him the same questions about how it happened, when it happened and if they'd be getting the PIN pads back, if at all. At first he was very helpful and gave me the same canned answers as the first store manager, but after he realized that I was starting to ask more technical questions he diverted me to another associate after a few minutes of hold time. Apparently, I was taken as a someone from the media and was forwarded to someone that was slightly more polished with their answers, which I found very reassuring once again. They passed another test.

Overall, everyone at one point in time is vulnerable to attack, but when in reality it's how you deal with the fall out that keeps you from becoming an even bigger mess. After a first glimpse of how Barnes and Noble responded to the incident by removing the effected systems and giving the people at their shops the knowledge to speak, without giving to much away, and diverting curious folks like myself to more "in the know" individuals is a sign that they're taking this breach very serious; as they should. And in the long run this could very well save them from additional embarrassment. They also have a list of stores that were targeted on their site and are being transparent about the breach. It's my opinion that as of right now they're dealing with this breach in a responsible manner, which in the long run could be one of their saving graces.

You can view the breach notification released by Barnes and Nobel here for further details:

Wednesday, October 24, 2012

Risky Business: 5 Common Business Activities That Put Corporate Data at Risk

Most firms acknowledge that there is risk associated with the exposure of their confidential information.

This can be in the form of legal risk, if it relates to personal information, or competitive risk, in the case of commercial information, like trade secrets and client lists.

Most firms maintain security policies and procedures to mitigate these data security risks. These can range from adding passwords on smart phones used outside the office, to signing complex NDA agreements with third parties when confidential information is shared, like in an M&A transaction or a licensing deal.

However, while these measures provide some level of risk mitigation, many firms still continue to engage in risky day to day business activities that can jeopardize these efforts.
For the most part, these risky activities are an afterthought, as they center on three necessary components of every business person’s day – email, third parties and being out of the office.
Your confidential information is at an increased risk of being exposed if you engage in even one of the following activities:

1. Send confidential or sensitive documents to third parties via email

2. Share confidential or sensitive documents with third parties for a limited time

3. Access confidential or sensitive documents outside of the office

4. Transport confidential or sensitive documents using zip drives or hard drives

5. Store confidential or sensitive documents on your own servers in your office

Below are a few examples of what can happen if just one confidential document gets emailed to the wrong person, or a firm relies of ‘traditional’ methods to deliver sensitive information.

Flash Drives

In November 2011, the personal information of current and former employees at Regions Financial Corp was compromised after a flash drive went missing. The flash drive, which contained information about thousands of 401k retirement plan participants, including their names and social security numbers, was mailed by an external auditor to another one of its offices. To make matters worse, the flash drive was put in the same envelope as the decryption code, and when the package arrived, the flash drive was gone.


In September 2009, a California judge ordered Google temporarily de-activate a Gmail account after a bank employee mistakenly sent sensitive data to the wrong recipient. When the employee realized his mistake, he immediately sent a second email, instructing the recipient to delete the email and attachment without opening it. When he got no response, the bank contacted Google to find out if the account was still active. However, Google would not disclose such information without a court order, so the bank had to sue Google to obtain the account holder’s name and contact information.

Accessing Data outside the Office

In August 2012, a software engineer for Motorola was sentenced to 4 years in prison for stealing trade secrets. The employee was stopped during a random security check at O’Hare International Airport in February and found to be carrying $31,000, along with hundreds of confidential Motorola documents stored on her laptop, four external hard drives, thumb drives and other devices. Prosecutors alleged that among the secrets she carried were descriptions of a walkie-talkie type feature on Motorola cellphones, which prosecutors argued would have benefited the Chinese military. 

These examples remind us that simple day to day activities could be putting your corporate data at risk, undoing all the things that security policies and procedures aim to protect.

Many firms are therefore implementing more secure document sharing methods, like virtual data rooms, to exchange information with clients and third parties.

A virtual data room is a cloud-based document repository used by business professionals to share confidential documents around M&A transactions, litigation, fundraising and government compliance. 

The administrator invites users into their online data room behind a secure login to review confidential documents. These documents are protected with 256-bit encryption and Digital Rights Management, allowing the administrator to control who can access certain documents and what they can do with them (e.g. view, print, or save). Administrators are also able to lock documents to an individual computer, or revoke access remotely, even after the document has been downloaded from the data room.

By using a virtual data room, the firm maintains complete control over how sensitive information is viewed, thereby mitigating the risk of it falling into the wrong hands. 

Wednesday, October 17, 2012

BYOD Initiatives Could Be Risking Corporate Data

The Bring Your Own Device (BYOD) phenomenon is gaining momentum. A recent survey by CIO Magazine revealed that by the end of 2011, nearly half of all mobile devices used in the workplace were employee-owned.

The reason is simple - employees like to use their own stuff.  As consumers, they have access to some of the best devices — iPads, iPhones, Android phones, Android tablets — and all the apps that come with them. Employees don't want to use the clunky laptops and complex software of their employers. And they don't the hassle of carrying around two separate phones.

Rather than fight it, the smart companies are embracing the BYOD trend. Kraft, Whirlpool and IMB are just some of the larger names that have already implemented BYOD guidelines for their employees.

However, at the same time, there are some serious concerns attached to BYOD schemes, especially around the security of corporate data.

BYOD — A Security Nightmare

Without a proper BYOD policy in place, employers can easily lose control over how and where their corporate information is stored. 

Cloud computing technologies now make it easy for employees to self-select and install their own business apps, without the need to consult with IT. This presents a significant security concerns for employers, who have little insight into what apps are being used and whether they are secure enough to house confidential corporate information.

It’s not uncommon, for example, for business users to use personal cloud solutions, like Dropbox, iCloud and Google Drive, to store business files. These applications are relatively cheap, if not free, and provide convenient access to documents from multiple locations. However, because they are designed for personal use, these applications also lack the vigilant security protection needed for confidential corporate data; things like data encryption, managed user permissions and offline document control. 

The recent Dropbox security breach is a timely reminder of how easily information stored through these applications can be compromised.  It’s no surprise that in May 2012, IBM banned the use of Dropbox by all of its employees.

Lax Approach to BYOD Security Causes Major Headaches

Another concern around BYOD is the lax approach some employees take toward mobile device security.

According to a recent survey by Coalfire, 47 percent of respondents had no password protection on their mobile phone, even though 84 percent admitted to using this device for work.
What's more, 36 percent said they reused the same password, and 60 percent are still writing down passwords on a piece of paper!

Employees Unaware of Security Risks

The Coalfire survey also revealed that nearly half (49 percent) of respondents said their IT departments had not discussed mobile security or cyber-security with them. Only 25 percent reported a discussion with IT, suggesting that 75 percent were left to exercise their own judgment.

What’s more, 51 percent said their company did not have the ability to remotely wipe data from their mobile device if it was locked or stolen — a huge problem if the device is also not password protected.

A BYOD Policy is Essential for Every Workplace

In order to reduce BYOD security risks, employers should implement a BYOD policy and update their other existing security policies to include the use of personal devices. They should also consider implementing the following initiatives.

5 Ways to Boost BYOD Security

•    Arm your employees with knowledge: Educate employees on the security risks and best practices for using personal devices in the workplace

•    Power-on passwords: Enforce power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device in the event that it's lost or stolen. Companies should also extend policies around password-strength and password expiry for personal devices.

•    Monitor business app usage: Require employees to provide IT with a list of the business apps they are using, along with the account information (username and password). IT should have permission to monitor these apps, and check them before they are shut down permanently (especially after the employee leaves).

•    Stronger authentication: Enforce a stronger authentication process if users are allowed to store sensitive data or trade secrets on their smart phones or tablets.

•    Encryption or nothing: Make encryption the price of being allowed to keep corporate data on personal devices. This can be challenging in mobile security because there are different encryption options for various mobile platforms. Build and maintain a list of ‘approved’ devices that meet your security criteria.

While the BYOD phenomenon can’t realistically be eliminated, employers can learn to adapt. Part of this involves being vigilant in protecting their corporate information. Without the proper guidelines and employee education in place, they could stand to lose a whole lot more than they bargained for.

Content courtesy of Firmex Virtual Data Rooms

Saturday, September 29, 2012

Top 5 Network Security Technologies

The threats to your network are constantly evolving, so trying to defend your company is like trying to hit a moving target. Not only are new threats coming from external players, but having to protect yourself from malicious insiders is also part of keeping the business secure. Here are the “Top 5” technologies, in my opinion, that should be implemented within an organization from a networking perspective to limit risk. This doesn’t mean you’re secure, but applying these systems to your defense along with the proper monitoring and policy is a step in the right direction.

Vulnerability Management

There are many forms of vulnerability management, but knowing where your vulnerable is a good place to start your security program. Having an understanding of where you’re vulnerable in your systems, applications and networks before some with malicious intent does is highly valuable.

Data Loss Prevention (DLP)

Protecting your company from data leakage or loss is important. Many of these systems are designed to protect malicious intent from coming into the network, but what happens if someone’s on the inside? Using DLP to monitor and block protected information from leaving the network or being touched by those who shouldn’t have access is another way to defend against risk.

Log Management

If you’re not logging your systems you’ll be flying blind when an attack happens. Notice I didn’t say “if” an attack happens. During incident response you’ll wish you had the history or time machine of logs to rely on and assist you with incident management. No one ever said, “I wish I didn’t have all these logs” during an incident. Logging everything you have is essential.

Security Incident and Event Management (SIEM)

Now that we spoke about logging let’s take it up a notch. Now that you have the logs what are you going to do with them? Establishing a way to correlate these logs to capture security attempts against your network in real time is the next logical step. Creating rules and alerts based off the data you’re collecting from your systems is essential for defense.

Next Generation Firewall/IPS

I’m lumping these two in the same category because this market is starting to merge. Either way having one or both of these systems in line with your network will assist with blocking/alerting on malicious and suspicious traffic that’s passing through them, normally on the perimeter or between networks. Now that these systems are able to look into the packet data and analyze through the stack their importance in your network is vital.

Wednesday, September 19, 2012

Monday, September 17, 2012

Wi-Fi for your fridge? That's just bananas.

We haven't even scratched the surface on the implications of having devices like these attached to the internet. The more you expose, the vulnerable you'll be, and I doubt people are thinking about lasting security consequences when rushing products to market.

This is where the physical world meets the cyber security world. No longer are you looking at hacking to steal data, but in these instances you're able to do physical harm to another person or people with these compromises. The ability to hack the electronic system of cars and pacemakers is a perfect example of this.

Companies are rushing to attach their technology to the internet without thinking of the long term risks they might have. I sound like a crotchety old man here, but I think in the grand scheme of things this will end up causing more harm than good.  

What do you think?

Friday, September 14, 2012

Securing big data: Architecture tips for building security in

Since “big data” is a hot topic these days, there’s no question an increasing number of enterprise infosec teams are going to be asked about the security-related ramifications of big data projects. There are many issues to look into, but here are a few tips for making big data security efforts more secure during architecture and implementation phases:
  1. Create data controls as close to the data as possible, since much of this data isn’t “owned” by the security team. The risk of having big data traversing your network is that you have large amounts of confidential data – such as credit card data, Social Security numbers, personally identifiable information (PII), etc. -- that’s residing in new places and being used in new ways. Also, you’re usually not going to see terabytes of data siphoned from an organization, but the search for patterns to find the content in these databases is something to be concerned about. Keep the security as close to the data as possible and don’t rely on firewalls, IPS, DLP or other systems to protect the data.
  2. Verify that sensitive fields are indeed protected by using encryption so when the data is analyzed, manipulated or sent to other areas of the organization, you’re limiting risk of exposure. All sensitive information needs to be encrypted once you have control over it.
Read the rest of my article from here:

Wednesday, September 12, 2012

Antivirus alternatives: Evolving enterprise endpoint security strategy

It's easy to see why so many savvy information security professionals are skeptical about the effectiveness of enterprise antivirus systems. Today, most malware is dropped directly onto enterprise endpoints without much effort on the part of attackers. Studies have shown that a fully updated antivirus package is only about 50% effective at guarding against malware and is almost useless in preventing zero-day attacks, which are becoming increasingly common.

 Malware writers are getting smarter and their viruses more sophisticated. Criminals are using encryption in their malware, along with robust business models that include quality control checks, license keys, upgrades, support and marketing. The bad guys take beating antivirus programs very seriously, and so should we.

A standard antivirus package is no match for today's malware because it is based on signatures. Having to keep thousands of antivirus clients up to date with the latest signatures is also something that becomes an issue; as AV signatures age, their effectiveness declines. This is just a cat-and-mouse game we play with cybercriminals that they are winning. In fact, most attackers test their malware against common antivirus products before ever employing it to ensure that the malware can get through. Although antivirus is still a needed layer in the defense-in-depth paradigm and demanded by many regulations, any organization that relies on antivirus alone for its endpoint protection has cause for concern.

Consider the path a malicious file normally takes before it arrives at an endpoint: The file is sent from the malicious source and makes its way through the Internet, onto the network, through a company's systems, and eventually onto its endpoint. Along this path are multiple opportunities within the network to catch this traffic and stop it before it causes a breach or infection.

Throughout this article, we'll look at each one of these locations in the network and propose a few technologies that can assist with the process of implementing a new endpoint security strategy for stopping malware before it strikes.

Antivirus alternatives: The cloud layer

The cloud has a scary reputation when it comes to storing data, but cloud computing can be especially helpful from an antivirus perspective. Many antivirus vendors now offer services in which they combine intelligence from tens of thousands of customers, partners and even other vendors to better pinpoint potentially malicious activity. The knowledge enables a more predictive form of protection from malware before it even hits a company's network.

When attempting to stop malware from infecting an endpoint, it should be stopped as close to the source as possible; the fewer layers it penetrates, the less likely it will get anywhere near an endpoint. There are only so many new signatures, antivirus or otherwise, that can be pushed down to a multitude of endpoints. If malware can be stopped in a choke point once, it would free up these nodes. Using cloud-based systems as part of the antimalware infrastructure reduces the number of malware instances that make their way to the local network.

Services like those provided by FireEye and ValidEdge allow traffic to be scanned for malware before it hits the network. These providers' services rely on appliances that are in tune with similar systems and work together against known recent attacks. This allows for quicker and more comprehensive protection before potentially malicious traffic enters into the network. In essence, the cloud allows many systems to globally share intelligence to stop malware.

Read the rest of my article for at:

Network Security Horror Stories: Router Misconfigurations

In our the last installment of our network security horror stories (part one was on Change Control and part 2 on Firewall Misconfigurations) and today we’re going to focus on router misconfigurations. Like firewalls, routers play an important part of your organization’s network, but unlike firewalls they are not a security appliance. Even though routers main purpose isn’t security focused, it doesn’t mean that you can’t secure them. Here are a few classic router misconfiguration examples that I’ve come across:

1.    HTTP Open on the Router

While reviewing security for a company from the perimeter I discovered that HTTP was enabled on their core Cisco routers. They were both running very old versions of the IOS and were using the default credentials to log into the device. After getting into the router I was able to escalate to “enable” mode and could in theory have changed routes or wiped the NVRAM. After speaking with the network owners we quickly removed the HTTP service from the core routers and dodged a bullet.

2.    Password Files Stored on Router

Everyone knows that if you’re going to store passwords you should do it in a secure manner as to not divulge your credentials. Well, in this instance an admin decided to store all of the company’s credentials in a Microsoft Word file on the router’s storage. This router was running SSHv1 and penetration testers were able to gain access to the system. After finding this file they were given complete access to the company without blinking an eye. When the admin was confronted about the file being stored his response was, “But you can’t open the .doc file on a Cisco router!!”. He obviously wasn’t getting it.

Read the rest of my article posted on Algosec's blog:

Monday, September 10, 2012

Google Acquires VirusTotal

The search engine giant Google acquired Virus Total on Friday. I personally think this was a great move by Google to scope up these guys, but still hope that they allow Virus Total to act independently. What everyone’s thinking is that Google will eventually add the Virus Total technology into their search features to scan for malicious files when being downloaded. This would be a huge win for everyone that uses the internet, but I’m still unsure how the anti-virus vendors feel about it. If this is what they’re planning I’m interested to see what the AV vendors due or charge to have their product used for free (if that’s even possible).  Very interesting.