2015 Q3/Q4 Update

This is another summary update as I've been very busy these past six months due largely to moving house.
It's important to me that I acknowledge the devastating floods that are currently happening at home. Christmas here has been ruined by unprecedented amounts of rain which have led to the worst floods anyone has ever seen. Nearly every place I've ever worked or lived in has been under water and with the clean-up under way, the rain has just returned. 
Wellington Street, opposite my office
The response has been incredible, and my thanks go out to the emergency services and everyone that's involved in putting things right. It's in times like these you realise the true value of social media and the real-world difference it can make in people's lives. From alerts and warnings to the clean up and support efforts, it's all being coordinated via Twitter and Facebook. 

Maltangent (formerly 'macrosploit'), the targeted phishing platform I've been working on with @leighhall, is two thirds through it's first client engagement. In the run up to Christmas I've been using it to test user awareness levels for my employer across several departments following the introduction of mandatory awareness training. It's still very much early days and it now seems like the market is full of phishing platforms but I'm happy with the results and can't wait to continue testing in the new year. Thanks to DLA Piper for the opportunity and for working with us and to those individuals that have provided us with feedback from phishing assessments they've had done by other parties. 


Targeted phishing appears to be a real issue within the legal sector right now. I try to write up and share the details of attacks where I can, typically with the legal security forum hosted at CiSP, but also on social media. In October alone I contributed write-ups for eleven targeted efforts against our firm which utilized a myriad of techniques. Each required immediate action, but the lessons learned will be fed back into Maltangent's the development and I used the details of the attacks to produce a 'highlights reel' which I've been presenting back to the business.


I've spent a lot of time over the last six months doing a lot of internal SANS 20 consultation after being brought in to review a long running programme that hadn't gotten anywhere. The output of this has been a lot of detailed gap assessment work (updated to v6 following release in October) which I'm now writing recommendations and strategy for to address. The initial assessment was conducted by a third party which resulted in some very light weight recommendations anchored to a set of CMM maturity scores. I'm not particularly fond of maturity scores when they're used to describe security controls. If you're doing things by the book then it can take years to move up a notch which can be misinterpreted as a lack of progress or effort higher up. This can really hamper your efforts. 
Sample SANS20 gap results made using the calculator below
I've made this v6 gap calculator available for download here if you're interested in producing your own.

We've managed to increase the headcount for our team over the past six months and consequently I've been  spending a lot of time developing junior members over the past six months. I've never really had to develop people before but I can say now it has been rewarding. I'm currently sponsoring an auditor and an analyst through day to day engagement, exercise and certification. Funmi has consequently passed the CISA exam and Farhad is working towards CISSP now. 

This will almost certainly be my last post for 2015. I'm working predictions for 2016 so keep an eye out for that in January but until then, stay safe and I hope you have a fantastic New Year :) 

Popular posts from this blog

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

WAR GAMES - Simulating Security Incidents

Image
Why it's a good idea There are a myriad of reasons to test in peace time, the controls and processes which collectively represent your incident readiness. These include: Validating your Incident Readiness - testing can confirm that you are as ready as you think you are, and that nothing has changed resulting in an end state which prevents you from initiating IR.  Assess Controls Coverage and Identify Gaps - testing can confirm your controls coverage is adequate as well as highlighting those gaps which you'd rather not have in the event of a real issue. Demonstrate value of investment - you've probably spent a lot of time and other people's money acquiring controls, attracting talent and preparing for the eventually of an incident. Internal stakeholders will likely already be looking for assurance that their investment has been worth while.  Demonstrate investment and commitment to interested parties - internal stakeholders considered, you'll lik
Read more