The Capital One Breach And What We Should Really Be Talking About

I’m not going to try and write anything regarding the attack vector, Erick Johnson did that well here: https://ejj.io/blog/capital-one I’m not going to give an executive overview, Krebs did that well here: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/ I really just want to bring up something I haven’t heard enough people talking about, detection. There has been lots of conversation around many different perspectives: Is Amazon to blame, Is Capital One to blame, who wrote the application,… Read More »The Capital One Breach And What We Should Really Be Talking About

The Assumed Breach Model – A Practical Approach Part 3

In Part 1 of this series I gave a brief overview of  the assumed breach model of security.  In Part 2, I dove into some details about major components to implementing the assumed breach model.  In Part 3, I am going to provide some concise, real world steps to moving toward this mindset within an organization.  I’ll use the same three categories from Part 2. This will be something that… Read More »The Assumed Breach Model – A Practical Approach Part 3

#Spectre and #Meltdown – What do we do?

Seems like now about every 6 months or so every asks this same question about some new vulnerability.  The answer should be the same, do the same thing you should have been doing before this vulnerability came out. In an Assumed Breach model of security, these vulnerability would have already existed, and your other network controls, in most cases, would have rendered them no worse than a phishing email (which… Read More »#Spectre and #Meltdown – What do we do?

The Assumed Breach Model – A Practical Approach Part 2

In Part 1, I gave a brief overview of the Assumed Breach model.  In this part, I will begin to dive a little deeper into some of the areas where the assumed breach model can focus.  I am going to cover three areas: Network Segmentation Tiered Accounts and Access Control Log Management and Threat Hunting The idea is not to simply prevent attacks (though this is still an integral part… Read More »The Assumed Breach Model – A Practical Approach Part 2

10 Immutable Laws of an Assumed Breach

A few years back Microsoft released a set of 10 Immutable Laws of Security. These are tried and true and should be a foundation of security posture.  I have been developing some information around the Assumed Breach model of security.  You can read about it in a series of blog posts I am going to be publishing after the holidays on that very topic.  In this series, I am going… Read More »10 Immutable Laws of an Assumed Breach

The Assumed Breach Model – A Practical Approach Part 1

This is something I have been socializing for a while now, but I thought it was time to start putting some of thoughts down in writing. So what is the assumed breach model of security? To put it simply, it is a security strategy that assumes any given endpoint is breached and controls risk as such. That is an oversimplification, of course, as taking that approach would be an enormous… Read More »The Assumed Breach Model – A Practical Approach Part 1

Windows Event Log Management Presentation

I recently presented a brief presentation to the Central Alabama ISSA Chapter on Windows Event Forwarding (WEF).  I have a previous blog with a number of resources for getting WEF up and going.  The main point of this presentation was to point out the simplicity of WEF and for people to consider what they are monitoring and is it actually detecting what matters. [slideshare id=84332793&doc=windowseventlogmanagement-171218025835]

WannaCry – Sifting Through The Hype

There has already been a number of blog posts and analysis of the WannaCry ransomware attack.  I am not going to attempt to add any detail to that.  I do find it helpful to have a consolidated list of well sourced resources. Bottom Line Rollout MS17-010 to any systems that don’t have it If you have unsupported operating systems and/or can’t patch – figure out how to isolate those devices,… Read More »WannaCry – Sifting Through The Hype

IaaS and the Shared Responsibility Model

  A note to vendors: Infrastructure as a Service (IaaS) != secure/compliant applications, it can, but doesn’t by default. Why are people putting their servers and applications in IaaS providers like AWS and Azure? They can get a cheap, fast and secured data center to host their servers/applications. But that doesn’t mean they get the same thing they would in a locally managed data center within their company.  Amazon lists… Read More »IaaS and the Shared Responsibility Model

NIST Guide for Cybersecurity Incident Recovery

NIST, National Institute for Standards and Technology, just released a new guide for incident response and recovery for a cyber security incident. What is a Cyber Security Incident? According to NIST Special Publication 800-61, Computer Security and Incident Handling Guide, an event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a… Read More »NIST Guide for Cybersecurity Incident Recovery