Showing posts from 2017

Tools & Techniques - Key Performance Indicators

IntroductionTo date, I've facilitated senior level reporting on the performance of security driven activity in almost every position I've held. For the best part, this has been a green-field requirement which has meant that I've been able to set out and make a case for reporting that drives improvement in the real-world security posture (RWSP) of my charge from the get-go. I believe, no matter what else is going on, that if you can inform the changes and behaviours that lead to your organisation protecting itself, you've had a good day. Secondly to driving improvement, KPIs and metrics provide your leadership team with the insight and visibility into the efforts and valuable work of your security team which might otherwise be hidden from them. 
There is no shortage of materials and musings about the importance of security KPIs however, despite this, many organisations struggle in a number of ways to define and/or employ them. I thought then I'd share some thoughts o…

Tools & Techniques - Suricata 4.0 (High-performance Network IDS, IPS & NSM engine)

On July 27th, 2017 the OIS (Open Information Security Foundation) & the Suricata project team issued a major update release to the Suricata IDS/IPS engine.  The summary of improvements includes: Improved Detection - based on feedback from the rule writing teams at Emerging Threats & Positive Technologies the project added improved inspection for HTTP, SSH & other protocolsImproved TLS detection & logging, & the addition of NFS support. Improved EVE JSON logging functionality including inner/outer ip logging for encapsulated traffic & extended HTTP request/response loggingRUST support Major TCP stream engine update 
Full details of the release can be found here

I've been a big fan & user of Suricata for just over a year now & I've previously written about deploying Suricata on Centos (or RHEL) here. The project still maintains some of the best documentation for an open project I've come across & you can find everything you need to install S…

Tools & Techniques - Cloud Firewalls (DigitalOcean)

My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices. I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent.

They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc. 
Initial Impressions - Pros, Cons and Limitations Pros

No Cost (free!!) - Cloud Firewalls are available at no additional cost.Availability - Cloud Firewalls are available in ever region DigitalOcean operate.Flexibility & Granu…

Tools & Techniques - Kali Linux of a Raspberry Pi

There are a couple of reasons why you might want to install Kali linux on an inexpensive hardware platform that you can deploy, abandon or hide somewhere. An obvious use might be to serve as an 'Evil AP' in support of wireless assessments. Kali linux is officially supported on a number of low-cost ARM based devices, with Offensive Security maintaining minimal, streamlined pre-built images which can be copied across to an SD card, installed and then configured with the packages you need for the task you have in mind. 

Installing Kali Linux on a Raspberry Pi 
Offensive Security maintain good documentation here. For the our needs:
Download and verify the image from here.$ shasum -a 256 /Volumes/SANDISK/kali-2017.01-rpi2.img.xzDD the image over the SD cards$ sudo dd if=kali-2017.01-rpi2.img of=/dev/disk2 bs=1mInsert the SD cards after the dd has completed and boot the rpi. I had a DHCP reservation set on my router so I knew what IP it would get. I also made sure I plugged in the extr…

Six Months of ICO fines

A well known high street supermarket received a fine from the Information Commissioner's office (ICO) yesterday. I had a look at the details and you can too. It's not a vast sum but it should be cause for embarrassment. It should also be cause for concern for anyone working there who has anything to do with data protection given the approaching changes to the ICO's powers coming next year with GDPR
There are still a lot of people who think GDPR will be the next Y2K - I've literally heard two separate groups of people say this. I think a lot of people think that the ICO is a paper tiger and if you pushed them for an example of their actions they'd at best recount TalkTalk's record £400,000 fine. I thought then it might be interesting to review all of the monetary penalties the ICO has issued since the start of this year up to yesterday. All enforcement notices can be viewed online here

ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, Introduction
The ICO has is…

British Airways IT Issues

The media coverage of the recent major systems outage at British Airways is some of the worst I can recall reading. Essentially a national institution working in an industry synonymous with resilience, safety and preparation is making a drama out of a crisis and many technical practitioners are still trying to understand what happened. 
In the most recent reports, it sounds like a contractor accidentally switched off the power in their datacenter and with it, toppled the first domino in a series which lead to 750,000 passengers being unable to fly and an as yet to be calculated compensation bill. 
"It was not an IT issue, it was a power issue" - British Airways 

Nothing in the information they’ve released so far really explains how this course of events came to transpire nor does it provide any confidence or assurance around BA’s approach to business continuity planning (BCP) or disaster recovery (DR). Essentially, someone was able to gain access to and then press a button whic…

DDoS Protection Services

Distributed denial of service (DDoS) attacks are now an established aspect of the threat landscape. The number of attacks reported continues to rise, as does the recorded peaks for the traffic they can deliver. ‘Booter’ services, the prevalence of poorly configured IoT devices and access to command and control operations for botnets like Mirai mean threat actors need relatively low levels of sophistication or competence to disrupt or completely disable unprepared organisations. Even those organisations that already have countermeasures in place must remain alert and aware to threat actors who adjust their tools, techniques and procedures (TTPs) to circumvent controls or exhaust and overwhelm defenders. 

“There is a lack of ultimate control associated with this attack. You can’t prevent attempts, and likely need to rely on help from some upstream allies to defend if/when attempts are made. If someone points their botnet at you, hopefully you have a plan of action to engage your ISP(s) a…

Questions to ask before the next WannaCry

If your inbox or social media feed is anything like my own you'll have probably been inundated with a stream of marketing material following the WannaCry(pt) outbreak last week. Amongst all the vendor bragging, claims and offers of free trials and assessments I've seen a lot of good advice from security professionals. The message is clear enough to sum up in one sentence for technical staff - patch, manage your network, do the basics. For security practitioners, this advice is a message they've repeated enough to become mantra.

I thought then it might be useful to look at this recent event through a different lens and provide a pocket guide for Business Managers looking to assess the situation and provide Business Owners with an understanding of their exposure. This can be used then to identify what help (if any) your technical teams need.  Clearly, a disconnect still exists in many organisations between risk owners and technical staff.  Below is a series of questions which…

WAR GAMES - Simulating Security Incidents

Why it's a good idea There are a myriad of reasons to test in peace time, the controls and processes which collectively represent your incident readiness. These include:
Validating your Incident Readiness - testing can confirm that you are as ready as you think you are, and that nothing has changed resulting in an end state which prevents you from initiating IR. Assess Controls Coverage and Identify Gaps - testing can confirm your controls coverage is adequate as well as highlighting those gaps which you'd rather not have in the event of a real issue.Demonstrate value of investment - you've probably spent a lot of time and other people's money acquiring controls, attracting talent and preparing for the eventually of an incident. Internal stakeholders will likely already be looking for assurance that their investment has been worth while. Demonstrate investment and commitment to interested parties - internal stakeholders considered, you'll likely have external part…

Bug Bounty Programmes - Day 0 and Q1 thoughts

My mate Dan set up our bug bounty programme and wrote a post over at the company engineering blog about it back in November. It’s a solid guide to establishing your own with practical considerations for outlining such a programme, getting it off the ground, running it, rendering the benefits to your organisation and extending its coverage and scope over time.
It’s been a triumph and as we approach month 4 I wanted to spend a bit of time outlining some things worth considering before starting your own programme. I also wanted to dig into some of the points of friction we’ve encountered.

Before You Start (Day 0) 
First things first… Is a Bug Bounty Programme right for you?
If this is new to you and you’ve not already got your own programme up and running, it’s worth stopping to check that starting your own is right for you and your business.

Do you have the right people -or- the right people with enough time?
Your programme is going to need feeding and watering. It’s not just the *fixing* of …