Wednesday, February 24, 2016

Internet Privacy and the Future

Here's an article I contributed towards, with a bunch of other really smart people, regarding "Internet Privacy and the Future". The question being answered in this article is whether or not to use personal VPN's going forward. Here's a snippet of my response:

“The government is in the business of collecting data for surveillance, not just small amounts of data either, but everything they can get their hands on. In past this was the exception, if there was a need to retrieve data, which there always is, they would go through the proper channels to acquire said data. Nowadays the constant stream of data being poured into government silos for surveillance has become a business model. Collect everything and sort it out later"  

Read the rest of the article here:

Paid Participant Study with illumio Systems (Apply Here)

I reviewed illumio systems yesterday and they're looking to pay additional qualified participants to assist with reviewing their user experiance. The illumio systems reduce the attack surface within a network by applying segmentation between predefined labels (application, location, etc.) If you're interested in assisting please apply below, let them know I referred you too!! Very cool product and I look forward to seeing great things from them over the years.

Thursday, February 18, 2016

Wednesday, February 17, 2016

Apple Still Resisting FBI's Pressure to Crack Terrorist iPhone

Great article by the Washington Post explaining the continued pressure being applied from the FBI towards Apple to crack one of the San Bernardino terrorists iPhone. Tim Cook is still upholding the privacy of Apple users by not allowing a back door into their smartphones. They have a cryptographically strong design of their iPhones not to be able to hand this information over to the government. The incapability for Apple to hand over encrypted data to the FBI, and the inability for them to crack the iPhone, has pushed the government to request Apple to do the following:
  • Remove a feature that wipes a device after putting in 10 wrong passwords. If the FBI were able to have this feature removed the government would use rainbow tables in order to bruteforce the password on the device. Apple's response to this request was that they're unable to perform the following request since the user that setup the device is the only one that can remove it. Hence the lack of backdoors.
  • In another effort to create a pseudo backdoor the FBI requested Apple create a tool that allows Apple to bypass the wipe feature. This is just a backdoor with a different name and it shows how desperate the FBI is at attempting to have a backdoor put into place. They know very well Apple isn't budging and it's surprising to think the FBI would even consider this a viable solution to their backdoor issue. 
This being said, there is most likely evidence on this phone that could have the potential to assist with the case, but is it worth risking everyone's privacy over it. The major issue here stills stands on the privacy of all other users. Is it worth the risk, and loss of privacy, to have the government be able to access any system when they seem fit? If we think back, this became an issue for technology vendors after the revelation of mass surveillance against users was made public. If it wasn't for a complete untrust of the government, what they've done in the past and how they're acting now, maybe this wouldn't be an issue with Apple. Privacy has not only become a human right, it's become a selling point for a few vendors. Apple, for one, is making a stand against opening the pandora's box of "backdoor encryption" and it's one I hope they continue.

Slow golf clap, Tim Cook, slow golf clap. 

Monday, February 15, 2016

LISG Presentation and Round Table Event

I'll be presenting on the "State of Cyber Security" for the Long Island Security Group (LISG) this March 2nd and would love to see some of you guys there.

Tuesday, February 9, 2016

The dangers of decomissioning systems/apps without a process

Making changes to your network can always bring insecurity. Most of the time we're concerned about putting new things onto the network (what vulnerabilities will this bring, how will this effect other systems, will it be patched, etc), but it's sometimes rare that we think of this in reverse. Many times what we don't think about are the risks induced when removing a system, or application, in our environment. We're all gung-ho about making sure there aren't issues when putting in a device, but we should also be concerned about the holes created when a systems is removed from the network. 

If we're not following proper procedure to remove access for the newly decommissioned systems, we're opening up ourselves to  risks which could have been easily mitigated. The misconfigurations and privilege inheritance of old systems, that will be adopted by new systems in the future, create a substantial risk to your environment.

In this article I explain in more detail the dangers of decommissioning without a process:

Monday, February 8, 2016

FRONTLINESENTINEL UPDATE - Redesign of blog, thank you and we're looking to assist......

Over the next year the design of this blog will be changing drastically to allow room for additional writers, projects, partners, etc. In the meantime, as the new design is worked on, we’d like to know if anyone is interested in assistance from this blog in either written form, podcasts, speaking engagements, conferences, etc.  If there is a need to have us assist with any of these or other areas, please let us know.  

This little blog was started as side project a few years back, but has been growing drastically over the years, which is still always a surprise to me when we I look at the stats and emails. Much of the work done because of this site is for other blogs, conferences, speaking engagements, etc. This has always been from companies, or readers, that have given us the opportunity to work with and for them. It’s a great honor to work with you and something I personally take very serious. 

One area that I’d like to assist others in the future is for security startups, or up and coming vendors, to use this site as a soapbox. If you have a need to market your products, please let me know. There are a lot of great ideas out there that this site can hopefully assist with getting the word out. 

At this time you can reach me at as your point of contact, but we’ll be branching out to other administrators in the future that will handle these and other requests going forward. 

Thanks again!!

Saturday, February 6, 2016

Do network vulnerabilities matter? Yes, yes they do.

Everyone knows that vulnerabilities matter, but many times I feel people focus on servers and applications before giving the network equipment some vulnerability assessment love. It's true that these systems don't have as many changes, or even updates to their code, that many of the others do, but that doesn't mean they should fall to the bottom of the vulnerability scanning list. I think there's a case made that they should even be one of the first scanned with all the focus they've received over the past couple months.

Setting up schedules, metrics and credentialed scanning of your network equipment needs to be done. There's no reason to wait, there's no reason to assume there's no risk, since the longer you wait to find vulnerabilities the longer you're vulnerable to attack. With these systems playing such an integral role data on your network, they're pretty much the plumbing that allows the bits to flow, it's something that should be taken serious.

Here's an article I wrote for Algosec that goes a little deeper into this very important, and often overlooked, subject of network vulnerability scanning:

Thursday, February 4, 2016

The Infosec Hiring Crisis and Building Remote Security Teams

Well, it's not a secret. It's becoming very difficult to hire information security talent and with the job market increasing the talent pool is getting thinner. This is happening all over, especially in large cities, and it's become even more of a concern in smaller cities, where the smaller population limits qualified candidates from applying. With this being said, I'm a big fan of "spreading the net" across the country and building elite teams that work remotely with top talent.

In this article for Tripwire I explain what I think companies need to start considering to fill the void of these positions, all while be agile and acquiring top talent in the security industry. It's one thing to hire someone, but it you're not going to hire a candidate with the experience and skills, why not look outside your geographic area? It requires a change of thinking for most large companies, not as much for startups, but it can work and could give you the best protection of your assets.

Here's the article: