You can't secure what you don't acknowledge.SM

Monday, February 6, 2017

Getting to know your network with Managed Switch Port Mapping Tool

In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:
  • documentation
  • inventory
  • configuration standards
  • logging and alerting outside of basic resource monitoring
What this means – and what it can easily lead to – is incidents and subsequent breaches that may or may not be detected. These gaps combined with today's network complexities are virtually guaranteed to create unnecessary business risks.

In the spirit of having good tools to make your job easier, Northwest Performance Software has a program called Managed Switch Port Mapping Tool that can help put you on the right track in terms of getting to know your network environment, improving your visibility, and managing your ongoing changes. It's a tool that I have used off and on for years in conjunction with their popular toolset called NetScanTools Pro. The Managed Switch Port Mapping Tool is pretty straightforward – it simply uses SNMP to map out network switches which can provide a ton of information about entire network segments - information that often gets taken for granted. Here's a sample screenshot:

We work in a world where vendors are pushing SIEM, CASB, and Next-Gen Whatevers while, at the same time, we don't even have the network and security basics down pat. We're too busy spending time and money on the latest and greatest technologies when we need to just go back and do more to get a grasp on the core essentials of the network. Once that has been achieved, then – and only then – does it make sense to buy into what we're being sold. Just be careful, because such proposals may not always be in your best interest!

Kirk Thomas at Northwest Performance Software has been creating these network tools for a couple of decades now. I first learned about NetScanTools back in the mid-1990s at Novell's BrainShare conference (remember the awesome OS called NetWare!?). Anyway, if you're looking to get a better grasp on your network while, at the same time, improving your overall security posture, check out these tools. They'll only serve to make you look better. If you're like me, you can use a dose of that every now and then!


Thursday, January 19, 2017

Children's Hospital Los Angeles breach reminds us that HIPAA means nothing if you ignore its requirements

Back in 2007 I wrote a blog post on what's it going to take to encrypt laptop hard drives. After seeing this recent story about Children's Hospital Los Angeles, I can't help but shake my head.
The 0 comments on this article says a lot as society is becoming immune to these breaches...I think I've heard it called breach fatigue - it's not unlike presidential politics as of late!
 
In 2007, these decisions were bad enough...Like weak passwords, unencrypted laptops - especially if they're known to have PHI or PII - are simply inexcusable knowing what we now know in 2017. Doctors are smarter than that.

If anything - like all other lost/stolen laptops with sensitive information that have been regulated by things such as HIPAA for 12+ years - it shows that government and industry laws can't force people to make good decisions. Furthermore, "smart" people in positions of power running businesses don't know as much about security as they think they do and aren't as immune to security gaffes as they think they are.

Sunday, January 8, 2017

Hacking is not just an action, it's an excuse

Given all the ridiculous analyses and "findings" on Russian hacking as of late such as federal government bureaucrats who said there's no evidence to prosecute Clinton or who claim that the NSA does not collect data on America citizens yet they're certain that the Russians meddled in the U.S. election - many assertions of which are coming from talking heads with zero experience working in this field - I thought this blog post I wrote back in June of 2011 was worthy of a re-post:


Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the truth...you do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...
Here are some reading assignments for you written by two of my peers - leaders in our field and fellas who have their heads on straight about this Russian hacking storyline:

"From Putin with Love" - a novel by the New York Times by Rob Graham

Of course it was the Russians by Peter Stephenson

I may be wrong...I often am. There's always three sides to every story (yours, theirs, and the truth). Knowing what I know about information security along with politicians/bureaucrats and their motivations, I'm a bit skeptical.

By the way, don't let our rulers in the U.S. fool you as this country has been meddling in foreign elections for years - perhaps a bit more legitimately:
https://www.theguardian.com/commentisfree/2017/jan/05/americans-spot-election-meddling-doing-years-vladimir-putin-donald-trump

http://www.latimes.com/nation/la-na-us-intervention-foreign-elections-20161213-story.html

http://www.npr.org/2016/12/22/506625913/database-tracks-history-of-u-s-meddling-in-foreign-elections

Tuesday, January 3, 2017

Keys to a great 2017

Welcome to 2017! 

It's another year and another great opportunity to get security right in your organization. As you return to work with a cleared mind and good intentions, building (or maintaining) an effective information security program in the New Year is not unlike my favorite passion: car racing. You not only need to get off to a good start but you also need to keep up your momentum...lap after lap on the track, week after week at the office. The only difference is car races must come to an end. Information security programs must withstand the test of time.The question is: what are you going to do this year to make things better?

On New Year's Day, I received an email newsletter from, Ross Bentley, a very accomplished racecar driver and probably the world's most well-known racing coach and instructor. In this email, Ross talked about the difference between the best drivers and the rest and I think it ties in nicely with my long-time talking points about information security. Here are some of Ross's words:

There are 3 things (not surprisingly) that make the difference:
1. They focus on the basics. The advanced stuff is just doing the basics better.
2. They're committed to learning. They make learning an objective. They know that the more they know, the better they will get.
3. They prepare.
As I reflect on what it's going to take in 2017 for me to become a better information security professional and racecar driver along with how I can advise my clients on how to improve their information security programs, I couldn't have said it any better or any differently than what Ross said. Over the past 11 years, Ross has (unknowingly) taught me just about everything I know about racing cars. Take his advice, combine it with what I've been saying about information security basics, and add in some discipline and persistence day after day and you'll no doubt improve your information security program this year.

For further reading, here are two pieces that I wrote on setting - and achieving - goals that you might enjoy:

8 steps for accomplishing your IT career goals

Setting and Achieving Realistic Information Security Program Goals for 2016



Cheers!



Monday, December 12, 2016

Trump's an expert on hacking too, huh?

Yesterday, soon-to-be President Donald Trump showed just how ignorant politicians can be when it comes to computer security, breaches, and hacking. Referring to the Russians interfering with our recent election, the Donald said:
"Once they hack if you don't catch them in the act you're not going to catch them...They have no idea if it's Russia or China or somebody. It could be somebody sitting in a bed some place."
It's interesting. I've been involved with and heard of many additional hacking situations where the culprit was caught well after the fact...And, yet, the general public buys this kind of stuff because they don't know any better.

Who knows, maybe the Russians were involved. We, the people, will never know the details. Still, this seems to be yet another one of his statements without forethought. And to think this guy is going to be in charge of "cybersecurity" for our country. Between this kind of stuff and his continued attempts telling us what we can't do and how we must think, it's going to be an interesting four years!

Monday, December 5, 2016

Using NowSecure for automated mobile app testing

As an independent information security consultant, I'm always looking for good testing tools to rely on for my work. These tools, such as vulnerability scanners, network analyzers/proxies, and related manual analysis tools, are not the be-all-end-all answer for uncovering security weaknesses, but they are a very important aspect of what I do. Be it more generic vulnerability scans, a targeted penetration test, or a broader, more in-depth, security assessment, I simply don't have the time or brainpower to forgo using good tools.

In the interest of working smarter and not harder, there's a neat tool mobile app security testing automation from NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.

You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:




Additional information regarding the mobile app's functionality is provided including:
  • Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)   
  • Behavioral events of specific app methods that are run along with timestamps
  • URLs listed in the source code and files contained in the archive package
NowSecure provides an interesting and refreshing approach to security testing. I had someone contact me years ago asking if I had a way to automated the process of testing numerous mobile apps. I didn't and wish I would have - or at least wish NowSecure current platform would've been around then! Mobile app security testing is (still) a big and underserved market to say the least. This type of tool can help take some pain out of the mobile app security assessment process.  Some people out there may be good enough to do manual testing of every computer, web application, and mobile app that's thrown their way. However, odds are these folks are not getting a lot done or providing much value to their employers, customers, or even themselves.

There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.

Thursday, November 17, 2016

Careers in information security, dealing with ransomware, and more

With the field information security as popular as ever, I thought this would be a good time to share some pieces I've written on breaking into the field along with a few more on information security leadership. Oh, and I've thrown in a couple of pieces and a webcast on ransomware since that's a big deal these days. Enjoy!

10 Tips for Breaking into the Infosec Field 

What type of organization needs a CISSP on staff?

The important distinction between security facts and security problems

Why System Administrators are so Crucial to Security

The side-effects of miscommunication between IT and security pros
 

Security mistakes executives make

CEO Spoofing - Don't get fooled
 

Five ways to prevent a ransomware infection through network security 

Ransomware, Social Engineering and Human Error: What could go wrong?


As always, be sure to check out all of my other information security articles, webcast, etc. on my website


Wednesday, September 21, 2016

Join me along with ISACA and TechTarget today to learn about how to advance your infosec career!


 Kevin Beaver professional speaker keynote
I'm happy to announce that I'll be joining ISACA and TechTarget for their annual online security seminar - a day-long learning event for IT and information security professionals.  My session this afternoon, which starts at 3:30pm ET, will be I Can Do versus I Have Done...Certification, Experience, and the Information Security Career Path.


You can register by clicking the image or via this link:
http://www.bitpipe.com/data/document.do?res_id=1469026420_560  

I hope to "see" you there!

Monday, September 19, 2016

People Behaving Badly and information security's tie-in

Last week, I had the opportunity to travel to the Bay Area in California to record an information security video (thanks Intel and TechTarget!). Of course, I couldn't travel across the country and not see the sights of San Francisco. A most excellent highlight of the trip was for my son and I to meet television and social media celebrity, Stanley Roberts. My son is a huge fan of Stanley's, has learned a ton from him (me too!), and was over the moon-excited to be able to meet him in person.



I wanted to share with you Stanley's videos (a really good "best of" is below) and how his work relates to what we do for a living. Stanley catching people in the act of doing bad things intentionally, or perhaps through ignorance, is the very thing that drives the field of information security today. It's the essence of my previous blog post from today and my whole shtick about if we just addressed the basics of security (followed the core best practices and rules) we wouldn't  experience the consequences.

Stanley, we need to figure out how to do something on "people behaving badly with computers"!

Check out Stanley's YouTube channel or, if you're in the Bay Area, KRON 4 News...I think you'll enjoy it. If anything, beyond the laughs, you'll see that crazy human behavior is across the board in all aspects of life, not just in IT and security.


What, exactly, is reasonable security? The state of California knows!

With all that's happening in the world of information security, it seems that there's never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules - and guidance - around every corner. Oddly enough the breaches keep occurring. As if what we've been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who stand to benefit from such power, believe we need more regulations. Some are even attempting to rebrand information security as "cybersecurity" which only serves to create another layer of complexity and hurt our cause long-term.

Presumably, more regulations will clarify what "reasonable security" means. I disagree. The core information security essentials that we need to follow in order to be secure have been around for decades. Yet people think we need more guidance, more rules, more control. It's the mindset that many have toward fixing government schools: don't address the real problems, just throw more money at things and the challenges should go away soon. If things were only that simple!

If we're going to address information security reasonably, we don't need more regulations...what we need is discipline. The discipline to execute the security essentials over and over again, no matter how boring, how repetitive, and how politically inconvenient they are. I love what Kamala Harris, Attorney General for the state of California wrote in her 2016 California Data Breach Report:

RECOMMENDATION 1:
The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.


Folks, it's as simple as that...Ignoring the problem won't make it go away. Unless and until we address the core security practices - practices that have been proven to work time and again - we'll continue to struggle. So, what's it going to be?

Wednesday, August 24, 2016

A WordPress security resource for you: WP Security Audit Log

WordPress has had its fair share of security flaws over the years. Arguably more than any other mainstream platform. A quick search of 'wordpress' at the National Vulnerability Database returns over 1,100 published vulnerabilities as old as 2004 and several as recent as this month. Despite all of the security issues, WordPress is a highly-popular platform for businesses and individuals alike to create their online presence.

There are a lot of plug-ins and related resources to help with WordPress resources but there's one that I'm familiar with that you might want to check out. They're available through WP White Security - a company run by my colleague and web security expert Robert Abela. He not only offers WordPress security consulting services around hardening, malware removal, and the like but more importantly (from a proactive security point-of-view at least) plug-ins that you can use to lock down your web presence and keep it in check called WP Security Audit Log.

I've been thinking of using WordPress to host a website but I've held off because of the security flaws that come with it if it's not proactively maintained and monitored. Tools such as WP Security Audit Log are the only way to go outside of a managed security service to ensure your website is not exploited for ill-gotten gains. If you host your own WordPress website and you're not a technical person, then something like this is an absolute no-brainer. I've been telling Robert for a couple of years now that I was going to write a blog post to share his offerings with my audience. I'm guessing I could've helped prevent untold exploits and breaches had I done it sooner! I hope you find it beneficial nonetheless.

One final thing - another good practice that's often required by law or contract - if anything, common sense - is to run periodic web vulnerability scans to check for common vulnerabilities that can create problems for your website and, ultimately, your business. Better to be safe than sorry...