1 2 Previous Next

Geek Speak

20 Posts authored by: Dez Employee

THWACKcamp 2018 – Tips & Tricks: Thinking Outside the Box

 

          THWACKcamp 2018 is approaching fast, which also means it’s time for one of our most popular THWACKcamp sessions—Tips & Tricks.

 

          In this Tips & Tricks session, titled “Tips & Tricks: Thinking Outside the Box,” I will be joined by THWACK® MVP and SolarWinds Technical Content Manager Kevin Sparenberg as we delve into some of your favorite products and how to get the most out of them with these simple but powerful tips and tricks. We want to make sure your products are tailored to your needs and are adaptable to the nuances of your particular IT needs. Live demos with step-by-step direction will help you visually recognize the different capabilities available to you within some of your favorite tools, making it easy for you to play around with some of these cool features. Want to get more out of your Orion® Platform, particularly the Orion SDK? We’ve got you covered. Been thinking about how you can get ahead of API exhaustion for Office 365 or other, similar tools? Not a problem. Ready to learn more about the Millennium Falcon LEGO alert? Sure thing.

 

          In case you haven’t already heard, registration for THWACKcamp is open, so it’s time for you to sign up for this entirely free, 100% virtual, multi-track learning event. Take advantage of our comprehensive and totally entertaining sessions, featuring your beloved SolarWinds Head Geeks, as well as technical experts on the wide range of relevant and necessary topics in the world of IT.

THWACKcamp 2018 – People Do Dumb Things: Why Security is Hard for IT Pros

 

We often hear a lot of discussion about high-level security, but these types of concerns aren’t really what the general public is facing on a day-to-day basis, at work, or at home. People who have a very limited or virtually non-existent background in IT might not even realize that the things they’re doing are putting their data, your data, and potentially even your business at risk. So what kind of security risks do we see from the vast majority of the people across all companies and organizations, and how do we actually resolve them?

 

In this THWACKcamp panel session “People Do Dumb Things: Why Security is Hard for IT Pros,” I’ll be joined by Broadway National Bank Sr. Network Security Engineer and THWACK® MVP Paul Guido, CS Disco Software Engineer/QA architect Mandy Hubbard, and Computer and Network Security Shaman Sandy Hawke to discuss all the most practical ways that you can keep team members from putting your security at risk. We’ll place some of our IT expertise on the back burner as we try to tackle these issues from an IT novice viewpoint, so we can come to realistic and meaningful solutions on how you can help prevent these small and large security fumbles from happeningin the first place. As security breaches become more commonplace, it’s important that we as IT professionals remember that these breaches don’t have to be the norm. Even the use of social media can hold potential threats that we need to think about and create safeguards for. This session is geared for people of all IT skill levels who want to improve their security—so basically, everyone.

 

Not yet registered for the premier IT event that thousands of your peers have already signed up for? No worries, you can register for THWACKcamp 2018 today! With two days of sessions—taking place October 17 – 18—THWACKcampprovides you with the opportunity to learn from SolarWinds Head Geeks and IT industry experts in a number of different fields, all for free and from the comfort of your laptop. Don’t miss out on this entirely free, virtual IT event that’s sure to take your IT game to the next level.

   THWACKcamp 2018 Preview - Six Ways to Improve Your Security Posture

 

  In case you’ve somehow missed the news, registration for THWACKcamp 2018  is now open! In our annual free, virtual, multi-track IT learning event, you’ll have the chance to hear from industry experts as well as SolarWinds Head Geeks and technical staff. I’m particularly excited for my “Six Ways to Improve Your Security Posture Using Critical Security Controls” session, happening October 17 at 11 a.m. CT.

 

     Security policies within organizations are under a lot of scrutiny these days. Luckily, the Center for Internet Security (CIS) has published Critical Security Controls as guidelines to help you maintain good cyberhygiene. The CIS Controls are created and updated by security professionals working to assist individuals in securing and protecting against common vulnerabilities and threats.

 

     In this session, join me and my security co-host of awesome, Senior Product Manager Jamie Hynds, as we discuss the top six CIS Controls and how you can use SolarWinds security management tools  to help back up these controls. You may already have these tools, but are you using them to help promote a secure environment?

 

     THWACKcamp is a live virtual learning event on October 17 – 18, 2018, featuring 18 sessions split into two tracks. Best of all, it’s monetary- and travel-free! Session topics include new technology, optimizing virtualization, automation guides, and thought leadership admins care about, not just vendor hype. Be sure to register today and attend to take advantage of live Q&A during each session!

 

 

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.


 

 

 

 

 

 

Dez

IT Pro Day

Posted by Dez Employee Sep 18, 2018

          Guess who's back, back again, IT Pro Day, tell a friend! SolarWinds has once again allowed me to circle the sun as a SolarWinds Head Geek. To me, IT Pro Day is something of a celebration of achievement in goals every year that I once could only imagine. Curiosity has led me down numerous certification paths and even back to college a few times. I celebrate every new mind-expanding opportunity that I’ve been allowed in my career.

 

          Today I was asked, “As a technology professional, what would you change if you had the time, resources, and ability to use your tech prowess to do absolutely anything?” Great mind-mapping question indeed. This led me instantly to wonder whether or notif I were to be given unlimited time and moneyI would want to focus on becoming a teacher of cybersecurity and information assurance within STEAM programs. I mean, after all, security is an art that needs to be appreciated at all levels.

 

          Spreading knowledge, especially within IT security , is something I believe in passionately. There’s currently a huge gap in security professionals, and by golly, if I have anything to say or do about it, I want that to change quickly! I now work with vocational teachers and help to encourage teachers and young students to dig in and be creative with IT.

 

          If we’re not investing in the next generation, then how do you expect to have a product to meet their future needs? You have to carve out the time to hear out their mindsets, and understand how they approach and solve problems. This allows you—whether as an individual or a companyto provide your future customers with services, products, and even marketing that will enable you and your company to be relevant to them.

 

          Personally, this IT Pro Day has me thinking about how I can contribute more to things like STEAM programs and Cyber Days for students of all ages. It starts with an idea and can grow into a habit once you allow yourself a little time. I, for one, will start planning my days with at least 10 minutes brainstorming how I can be an IT contributor, and not just a consumer.

 

Destiny Bertucci, Head Geek, SolarWinds

So, I wanted to at least touch base with everyone on the “scandal” of the week. Is it fake news? New ways for stock gouging? New ransom type embankments? Corporate espionage?

 

I waited until at least some of the dust had settled to write this post. I wanted to be able to make accurate judgment calls and present a level-headed offering of thoughts and ideas. Here they are:

 

  1. Yes, there are security flaws (over a dozen) within these processors.
  2. No, at this time they are not mission critical because they have to have physical access AND the administrator\root information.
  3. The lab that sent out these security flaws had stock associated with their finds.
  4. They only gave AMD 24 hours to resolve the issue before they sent the processors out.

 

People are still discussing the processor story, so consider this an up-to-date discussion. Let it also be a friendly reminder that we have to check the general “sky is falling” mentality, especially in security. Key takeaway? Focus on best practices.

 

 

We should strive to have due diligence on the risk, determine appropriate measures to respond, and showcase the balance between risk and business as usual.

 

Since I believe you can benefit from them, here are my top three security practices:

 

Infrastructure monitoring

Determining baselines winds up bringing incredible value to any organization, department, and technology as a whole. The importance and power of baselines sometimes gets overlooked, and that saddens me. It is all too common for folks to wait until after they experience an incident to set up monitoring. That is simply a reaction, not a proactive approach.

 

Once you begin monitoring, you can start comparing solutions to risk. This is how you can test solutions to risks and vulnerabilities before you go full on “PLAID” mode (Spaceballs reference. #sorrynotsorry), only to find that you have created a larger issue than the risk itself. Comparative reporting is an excellent way to prove that you have done your due diligence in understanding the impact of the threat and the solution as a whole.

 

Threat management policies

You should determine a policy that addresses ways to deal with threats, vulnerabilities, and concerns immediately and openly.  It should live where everyone can access it, and be clearly outlined so everyone knows what is happening even before you have the solution. This helps to stop or at least slow down management fire alarms, universally expressed as, “What are we going to do NOW?”

 

The policy should include a timeline of events that everyone can understand. For example, let everyone know that there will be an email update outlining next steps with 48 hours of the incident.  In other words, you are telling everyone, “ Hey, I’m working on the issue and I’ll make sure I update you. In the meantime, I’m doing my due diligence to make sure the outcome is beneficial for our company.”

 

Asset Management

You can't quickly assess your infrastructure if you are not aware of everything you manage, period.

 

There is power in knowing what you are managing many realms, but my first go-to are asset reports. I need to know quickly what could—and, more importantly—what could not be associated with any new threats, concerns, or vulnerabilities.

 

The types of tools that allow me to monitor and update my assets give me much needed insight into where my focus should be, which is why I go there first. Doing so ensures that I won’t be distracted or overwhelmed by data points that aren’t relevant.

 

Finally, the responsibility of tracking and understanding any types of threat should be proactive and fully vetted. We should want to understand the issues before we blindly implement Band-Aids that can, potentially, hinder our business goals.

 

Using information to better the security within our organizations also brings us into the fabric of the business, assisting efforts to keep business costs low.

    

I hope you join this conversation because there are several touch points here. I’m very curious to hear your thoughts, comments, and opinions. For example, did you believe, when the processors were released, that they were a form of ransom? Do you see other opportunities to manhandle a company’s earnings by highlighting exploits for others’ gain?  Or, maybe you just sit back, watch the news with a scotch in your hand, and laugh.

 

Let's talk this over, shall we?

 

~Dez~

 

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

The THWACKcamp 2017 session, "Protecting the Business: Creating a Security Maturity Model with SIEM" is a must-see for anyone who’s curious about how event-based security managers actually work. SolarWinds Product Manager Jamie Hynds will join me to present a hands-on, end-to-end, how-to on configuring and using SolarWinds Log & Event Manager. The session will include configuring file integrity monitoring, understating the effects of normalization, and creating event correlation rules. We'll also do a live demonstration of USB Defender’s insertion, copy activity detection, and USB blocking, Active Directory® user, group, and group-policy configuration for account monitoring, lock-outs for suspicious activity, and detecting security log tampering.

 

Even if you’re not using LEM or a SIEM tool, this will be a valuable lesson on Active Directory threat considerations that will reveal real-world examples of attack techniques.

 

THWACKcamp is the premier virtual IT learning event connecting skilled IT professionals with industry experts and SolarWinds technical staff. Every year, thousands of attendees interact with each other on topics like network and systems monitoring. This year, THWACKcamp further expands its reach to consider emerging IT challenges like automation, hybrid IT, cloud-native APM, DevOps, security, and more. For 2017, we’re also including MSP operators for the first time.

THWACKcamp is 100% free and travel-free, and we'll be online with tips and tricks on how to your use SolarWinds products better, as well as best practices and expert recommendations on how to make IT more effective regardless of whose products you use. THWACKcamp comes to you so it’s easy for everyone on your team to attend. With over 16 hours of training, educational content, and collaboration, you won’t want to miss this!

 

Check out our promo video and register now for THWACKcamp 2017! And don't forget to catch our session!

I know, I'm a day late and quite possibly 37 cents short for my coffee this morning, so let's jump in, shall we?

 

Let's start with the Equifax breach. This came up in the Shields Down Conversation Number Two, so, I thought I would invite some of my friends from our security products to join me to discuss the breach from a few different angles.

 

My take will be from a business strategy (or lack of) standpoint. Roughly 143 million people had their personal data exposed because Equifax did not properly execute a simple patching plan. Seriously?

 

Is this blog series live and viewable? I am not the only person who implements patching, monitoring, log and event management in my environments. This is common knowledge. What I don't get is the why. Why, for the love of everything holy, do businesses not follow these basic practices?

 

CIxO or CXOs do not implement these practices. However, it is their duty (to their company and their core values) to put the right people in place who will ensure that security measures are being carried out.

 

Think about that for a moment and then know that there was a patch produced for the vulnerability that Equifax failed to remediate in March. This breach happened, as we all know, in mid-May. Where is the validation? Where was the plan? Where is the ticketing system tracking the maintenance that should've been completed on their systems? There are so many questions, especially since this happened in an enterprise organization, not some small shop somewhere.

 

Now, let's take this another step further. Equifax dropped another juicy nugget of information of another breach in March. Don't worry, though. It was an entirely different attack. However, the incredible part is that some of the upper-level folks were able to sell their stock. That makes my heart happy, you know, to know that they had the time to sell their stock before they released information on being breached. Hat's off to them for that, right?

 

Then, another company decided they needed to market and sell credit monitoring (for a reduced fee, that just so happens to use EQUIFAX SERVICES) to the individuals who were now at a high(er) risk of identity theft and credit fraud. I'm still blown away by this.

 

Okay. Deep breath. Whooooo.

 

I was recently informed that when you have third-party software, patching is limited and that organization's SLAs for application uptime don't allow patching on some of their servers. I hear you! I am a big believer that some patching servers can cause software to stop working or result in downtime. However, this is where you have to implement a lab and test patching. You should check your patching regardless to make sure you are not causing issues with your environment in the first place. 

 

I will implement patching on test servers usually on a Friday, and then I will verify the status of my applications on the server.

I will also go through my security checks to validate that no new holes or revert have happened before I implement in production within two weeks. 

 

Now let's bring this back to the strategy at hand. When you are an enterprise corporation with large amounts of personal data belonging to your trusting customers (who are the very reason you are as large as you are), you better DARN WELL have a security plan that is overseen by more than one individual! Come on! This is not a small shop or even a business that could argue, "Who would want our customer data?" We're talking about Equifax, a company that holds data about plenty of consumers who happen to have great credit. Equifax is figuratively a lavish buffet for hackers.

 

The C-level of this company should have kept a close eye on the security measures being taken by the organization, including patching, SQL monitoring, log, events, and traffic monitoring. They should have known there were unpatched servers. The only thing I think they could have argued was the common refrain, "We cannot afford downtime for patching." But still. 

 

Your CxO or CIxO has to be your IT champion! They have to go nose to nose with their peers to make sure their properly and thoroughly designed security plans get implemented 100%. They hire the people to carry out such plans, and it is their responsibility to ensure that it gets done and isn't blocked at any level.

 

Enough venting, for the moment. Now I'd like to bring in some of my friends for their take on this Equifax nightmare that is STILL unfolding! Welcome joshberman, just one of my awesome friends here at SolarWinds, who always offers up great security ideas and thoughts.

 

Dez summed up things nicely in her comments above, but let's go back to the origins of this breach and explore the timeline of events to illustrate a few points.

 

  • March 6th: the exploited vulnerability, CVE-2017-5638, became public
  • March 7th: Security analysts began seeing attacks propagate that were designed to exploit this flaw
  • Mid-May: Equifax tracked the date of compromise back to this window of time
  • July 29th: the date Equifax discovered a breach had occurred

 

Had a proper patch management strategy been set in place and backed by the right patch management software to enable the patching of third-party applications, it is likely that Equifax might not have succumbed to such a devastating attack. This applies even if testing had been factored into the timelines, just as Dez recommends. "Patch early, patch often" certainly applies in this scenario, given the voracious speed of hackers to leverage newly discovered vulnerabilities as a means to their end. Once all is said and done, if there is one takeaway here it is that patching as a baseline IT security practice, is and will forever be a must. Beyond the obvious chink in Equifax's armor, there is a multitude of other means by which they could have thwarted this attack, or at least minimized its impact.

 

That's fantastic information, Josh. I appreciate your thoughts. 

 

I also asked mandevil (Robert) for his thoughts on the topic. He was on vacation, but he returned early to knock out some pertinent thoughts for me! Much appreciated, Robert!

 

Thanks, Dez. "We've had a breach and data has been obtained by entities outside of this company."

Imagine being the one responsible for maintaining a good security posture, and the sinking feeling you had when these words were spoken. If this is you, or even if you are tangentially involved in security, I hope this portion of this post helps you understand the importance of securing data at rest as it pertains to databases.

 

Securing data in your database

 

The only place data can't be encrypted is when it is in cache (memory). While data is at rest (on disk) or in flight (on the wire), it can and should be encrypted if it is deemed sensitive. This section will focus on encrypting data at rest. There are a couple different ways to encrypt data at rest when it is contained within a database. Many major database vendors like Microsoft (SQL Server) and Oracle provide a method of encrypting called Transparent Data Encryption (TDE). This allows you to encrypt the data in the files at the database, table space, or column level depending on the vendor. Encryption is implemented using certificates, keys, and strong algorithms and ciphers.

 

Links for more detail on vendor TDE description and implementation:

 

SQL Server TDE

Oracle TDE

 

Data encryption can also be implemented using an appliance. This would be a solution if you would want to encrypt data but the database vendor doesn't offer a solution or licensing structures change with the usage of their encryption. You may also have data outside of a database that you'd want to encrypt that would make this option more attractive (think of log files that may contain sensitive data). I won't go into details about different offers out there, but I have researched several of these appliances and many appear to be highly securitized (strong algorithms and ciphers). Your storage array vendor(s) may also have solutions available.

 

What does this mean and how does it help?

 

Specifically, in the case of Equifax, storage level hacks do not appear to have been employed, but there are many occurrences where storage was the target. By securing your data at rest on your storage tier, it can prevent any storage level hacks from obtaining any useful data. Keep in mind that even large database vendors have vulnerabilities that can be exploited by capturing data in cache. Encrypting data at the storage level will not help mitigate this.

 

What you should know

 

Does implementing TDE impact performance? There is overhead associated with encrypting data at rest because the data needs to be decrypted when read from disk into cache. That will take additional CPU cycles and a bit more time. However, unless you are CPU-constrained, the impact should not be noticeable to end-users. It should be noted that index usage is not affected by TDE. Bottom line is if the data is sensitive enough that the statement at the top of this section gets you thinking along the lines of a resume-generating event, the negligible overhead impact of implementing encryption should not be a deterrent from its use. However, don't encrypt more than is needed. Understand any compliance policies that govern your business (PCI, HIPAA, SOX, etc.).

 

Now to wrap this all up.

 

When we think of breaches, especially those involving highly sensitive data or data that falls under the scope of regulatory compliance, SIEM solutions certainly come to mind. This software performs a series of critical functions to support defense-in-depth strategies. In the case of Equifax, their most notable influence appears to be their attempt to minimize the time of detection with either the compromise or the breach itself. On one hand, they support the monitoring and alerting of anomalies on the network that could indicate a compromise. On the other, they can signal the exfiltration of data – the actual event of the breach – by monitoring traffic on endpoints and bringing to the foreground spikes in outbound traffic, which, depending on the details, may otherwise go unnoticed. I'm not prepared to make the assumption that Equifax was lacking such a solution, but given this timeline of events and their lag in response, it begs the question.

 

As always, thank you all for reading and keep up these excellent conversations.


THWACK members, I'm 100% loving the comments in this series! You all are giving me a much-needed boost in security thoughts and ideas. Thank you so much!

 

Conversation Number One led me to realize that I need to jot down the resources I use as my "go-to's." These are links to several places that help me to be cyber-aware if you will.  I would love for all of you to share your resources as well so we can help create a thread of wholesome greatness! tomiannelli, your comment, from Conversation One, that provided a link for more information (18 U.S. Code § 1030 - Fraud and related activity in connection with computers) was really thoughtful. I truly appreciate the sharing of knowledge.

 

Now, let's dive in, shall we?

 

Security Conferences

 

InfoSec

Conferences - O'Reilly Media

ShmooCon

SANS Events

 

Knowledge Links

 

Department of Homeland Security

I spend hours on this site trying to see which direction the government is leaning toward. I also like going there to view their education suggestions and which cyber security fields they are hiring in.

 

National Vulnerability Database

Checklists, data feeds, vulnerability metrics, and more resource links provided within. This is a bookmarked staple.

 

SANS Institute InfoSec

This is a white paper that I find myself reflecting on a lot. Especially when I'm focusing on new security plans with companies that have never really had one in place. The concepts and case studies within help to ground me for some reason.

 

Ciscohttps://learn-umbrella.cisco.com/ebooks Umbrella

Okay, if you click on this one it will want you to fill out information before you download any of their books. I'm a huge Cisco user and when it comes to security and concepts, well, I'm just like my best friend, Kate Asaff, when Apple has a release. Let's just say that I'm interested in the new capabilities and features.

 

There is SO much more, but these are my top picks that I consistently go back to. Now, DEF CON is not on any of my previous lists, and this is merely because I would assume it's expected. 

 

The challenge now (drum roll, please), is to prompt EVERYONE reading this to share your favorite security sites. On your mark, get set, GO!

"The network is down!" screams an unhappy user via VOIP. Ugh! How are we able to stay on top of applications, databases, networks, and services as network engineers? Metrics are something we can all understand. So, why not combine these into one view for easier troubleshooting and helping to assess situations quickly and accurately?

 

Join me and Senior Product Managers Steven Hunt and Chris O’Brien for our THWACKcamp 2017 session, "Monitoring Like a SysAdmin When You're a Network Engineer" to learn how you can apply system monitors to cover your business-critical applications and be proactive about keeping network issues to a minimum. We will also cover how to verify the performance of systems/applications after network upgrades or features have been applied, and discuss how to break down silos and engage with your systems teams to better monitor your network. You'll learn how to share dashboards that allow you to prove your network before, during, and after the fallout.

 

We are continuing our expanded-session, two-day, two-track format for THWACKcamp 2017. SolarWinds product managers and technical experts will guide attendees through how-to sessions designed to shed light on new challenges, while Head Geeks and IT thought leaders will discuss, debate, and provide context for a range of industry topics.

 

In our 100% free, virtual, multi-track IT learning event, thousands of attendees will have the opportunity to hear from industry experts and SolarWinds Head Geeks and technical staff. Registrants also get to interact with each other to discuss topics related to emerging IT challenges, including automation, hybrid IT, DevOps, and more.

 

With over 16 hours of training, educational content, and collaboration, you won’t want to miss this!

 

Check out our promo video and register now for THWACKcamp 2017! And don't forget to catch my session!

Security concerns are getting lots of media coverage these days, given the massive breaches of data that are becoming more common all the time. Businesses want to have a security plan, but sometimes don't have the resources to create or implement one. Protect your infrastructure with the simple features that a SIEM application provides. Simple, step-by-step implementation allows you to lock in a solid security plan today.

 

In my THWACKcamp 2017 session, "Protecting the Business: Creating a Security Maturity Model with SIEM," Jamie Hynds, SolarWinds Product Manager, and I will present a hands-on, end-to-end, how-to configure and use Log & Event Manager, including configuring file integrity monitoring, understating the effects of normalization, and creating event correlation rules.

 

In our 100% free, virtual, multi-track IT learning event, thousands of attendees will have the opportunity to hear from industry experts and SolarWinds Head Geeks -- such as Leon and me -- and technical staff. Registrants also get to interact with each other to discuss topics related to emerging IT challenges, including automation, hybrid IT, DevOps, and more.

 

We are bringing our expanded-session, two-day, two-track format from THWACKcamp 2016 to THWACKcamp 2017. SolarWinds product managers and technical experts will guide attendees through how-to sessions designed to shed light on new challenges, while Head Geeks and IT thought leaders will discuss, debate, and provide context for a range of industry topics.

 

Check out our promo video and register now for THWACKcamp 2017! And don't forget to catch my session!

I have wanted to start an ongoing conversation about security on Geek Speak for a long time. And now I have! Consider this the beginning of a security conversation that I encourage everyone to join. This bi-monthly blog will cover security in a way that combines the discussions we hear going on around us with the ones we have with colleagues and friends. I’d love for you to share your thoughts, ask questions, and ENGAGE! Your input will make this series that much richer and more interesting.

 

You can bring up any topic or share any ideas that you would like for me to talk about. Please join me in creating some entertaining reading with a security vibe. Let’s start…NOW!

 

Let me dive into something that I feel is going to impact hacking behaviors. Microsoft is attempting to find clever, more intense ways to go after hackers. This may not sound surprising, but think about this: They are filing legal suits over trademarks. What? That’s right. They are suing known hacker groups for trademarks. Although you can’t drag hackers to court, you can observe and disrupt their end game.

 

Okay, so they went after the group that was allegedly involved with the United States voting process. So far, Microsoft has taken over at least 70 different Fancy Bear, or FB, domains!

 

Why does this matter? Why should we care? Because FB literally became the man in the middle, legally speaking. By using Microsoft’s products and services, they opened themselves up to be taken over by... that’s right: Microsoft!

 

Since 2016, Microsoft has mapped out and observed FB’s server networks, which means they can indirectly cause their own mayhem. Okay, so they aren’t doing THAT, but they are observing and disrupting foreign intelligence operations. Cheeky, Microsoft. Cheeky!

 

Now, for me, I’m more interested in when they decide they can flip it over into their hands to eavesdrop and scan out networks. The United States’ Computer Fraud and Abuse Act gives Microsoft quite a blanket to keep warm under. But we can go into that later, as it is currently in use at Def Con...

 

Now, I started the conversation. It’s your turn to keep it going. Share your thoughts about Microsoft, security, hackers, etc. below.

Dez

Firewall Logs - Part Two

Posted by Dez Employee Jun 1, 2017

In Part One of this series, I dove into the issue of security and compliance. In case you don't remember, I'm reviewing this wonderful webcast series

to stress the importance of the information presented in each. This week, I'm focusing on the firewall logs webcast.

 

I chose the Firewall Logs webcast for this week because it is a known and very useful way to prevent attacks. Now, my takeaway from this session is that SIEMs are fantastic ways to normalize your logs from a firewall and also your infrastructure. You guys don't need me to preach on that, I know. However, I feel like when you use health performance and network configuration management tools, you really have a better solution all the way around.

 

Everyone (I think) knows that I'm not one to tell you to buy or purchase just SolarWinds products! So please do NOT take this that way. I will preach about having some type of SIEM, network performance monitor (NPM), patch manager (PaM), and a solid network configuration change management (NCM) within your environment. Let me give you some information to go along with this webcast on how I would personally tie these together. 

 

  1. Knowing the health of your infrastructure allows you to see anomalies. When this session was discussing the mean time to detection I couldn't help but think about a performance monitor. You have to know what normal is and have a clear baseline before an attack.
  2. Think about the ACLs along with your VLANs and allowed traffic on your network devices. NCM allows you to use a real-time change notification to help you track if any outside changes are being made and shows you what was changed.  Also, using this with the approval system allows you to verify outside access and stop it in its tracks as they are not approved network config changes. This is a huge win for security.  When you also add in the compliance reports and scheduled email send-outs you are able to verify your ACLs and access based on patterns you customize to your company's needs. This is vital for documentation and also if you have any type of a change request ticketing to validate.
  3. We all know we need to be more compliant and patch our stuff! Not only to be aware of vulnerabilities but also to protect our vested interests in our environment.

 

Okay, so the stage is laid out and I hope you see why you need more than just a great SIEM like LEM to back, plan, and implement any type of security policies you may need. This webcast brings up great points to think about on how to secure and think about those firewalls. IMHO, if you have LEM, Jamie's demo should help you guys strengthen your installation.  Also, the way he presents this helps you to strengthen or validate any SIEM you may have in place currently.

 

I hope you guys are enjoying this series as much as I am. I think we should all at least listen to security ideas to help us strengthen our knowledge and skill sets. Trust me, I'm no expert or I would abolish these attacks, lol! What I am is a passionate security IT person who wants to engage different IT silos to have a simple conversation about security.

 

Thanks for your valuable time! Let me know what you think by posting a comment below, and remember to follow me @Dez_Sayz!

Today, I want to bring your attention to a great series of webcasts that are available here: Security Kung Fu Webcast Series

 

I will stress the importance of each one of these over the next few weeks as I review and reflect on what I learned from these webcasts.

 

That's right. I'm reviewing the webcast as a critic in this series because I deeply believe in security, and I want to make sure you guys are aware of the content provided in each webcast. Please follow me on this security adventure and dive into the importance of the information they covered. Also, I'll be mixing them up, so the reviews won't be presented in order. 

 

Takeaways

 

1. There is a difference in being secure versus compliant.

  • I can comply with regulations, but does that cover everything within my infrastructure?
  • I can secure my environment, but does that mean I am meeting my overall compliance needs?

 

These are questions that I like to ask whenever I'm involved with any security plan. This helps to make sure that my environment is fluid and being assessed by both sides of the argument.

 

2. Too many rules to follow! I just want to do my job!

  • News flash: Security is a business issue. It's NOT just for IT!
  • This webcast talks about the rules and compliance needs for different types of businesses. However, all levels of users need to focus on security. This means engaging with and training them at every opportunity.

 

The biggest issue that I see is a lack of a solid security planning that is integral to an organization's overarching business strategy. This webcast offers insight on ways to use tools to help you complete security plans faster and strengthen your proactive and reactive security needs.

 

Summary

 

The Security vs Compliance webcast will help guide you toward implementing a solid security plan. I joined this webcast and offered some of my opinions on being secure vs compliant, so please feel free to let me know if you have more to add!

 

Remember, "Security is a very fluid dance. The music may change, but you have to keep dancing."

 

If there is something specific you guys want me to bring up, please let me know! I love talking security and how to use what you have to support any security plan. Leave me a security comment and I'll see if I can get this ramped up and answer in a future Geek Speak blog!

The latest attack seemingly took the world by surprise. However, most of the affected users were using unpatched and unlicensed versions of Windows. How do we take a stand against ransomware and avoid being sidelined by these attacks? Here are a few things that I do and am happy to share in an effort to help strengthen your resistance against these attacks.

****

Update:  Assuming is never a good idea! Of course, your need for data backups is critical in ransomware attacks. But, it's not enough to have backups. You must also validate that they are usable and that the process works through testing.

 

****

  1. File Integrity Monitoring
    1. Monitoring your files for things like changing file extensions, moving of files, and authorization. Log & Event Manager (LEM) is vital in this to help protect your businesses information.
  2. Group Policies for Windows
    1. Cryptolocker prevention kits that do not allow ransomware to install in their most common locations.
    2. Make sure the Users group does not have full access to folders. I see this a lot, where a user group has full access to numerous folders.
    3. Make sure that users do not have rights to the registry!
  3. Static Block List
    1. Block known Tor IP addresses example: 146.185.220.0/23
  4. Limit network share access
    1. If they are able to penetrate and get to a server, you do not want to freely allow the ransomware full access to network shares. You also do not want a general user to have access to network shares that hold mission critical data. Think about this. Make sure you are applying policies and not giving users access to things they shouldn't. Allowing such gives attackers the same level of access.
  5. Update patching on servers
    1. If you are not patching your servers, you are not up to date on the malicious vulnerabilities that are already known. Stop being low hanging fruit and start being the insect spray to keep these attacks to a minimum.  Patch Manager will help you schedule and push these out so you are not worrying about being up to date. 
    2. The lab environment is key to making sure your third-party software is easily able to receive a patch. We all know that when a software or application is released, it is not aware of what's coming in the future. That is why installing a lab environment to test patches is a great way to help you patch and not be worried about breaking an application in the process.
  6. Spam
    1. For the love of everything great, update your spam filters. This is key to helping you keep malware from getting to people that are not aware of these attacks, which results in them being blamed. Preventing these emails of destruction helps keep your teams aware. You can even use them as user education.
  7. Test your plan
    1. Test out a fake ransomware email with your business. See who reacts and within what departments. This will help you to train people within their areas to not react to these type of emails.
    2. You may be surprised at how many people will click and simply give away their passwords. This is an opportunity for you to shine as an IT organization by using this information to help get funds and user training for the business.
  8. Web filter
    1. Control the sites that users can access. Use egress or outbound traffic filtering to block connections to malicious hosts.
  9. Protect your servers and yourselves
    1. Have a companywide anti-virus/malware program that is updated and verified. Patch Manager will help you determine who is up to date and who is not!
  10. Web settings
    1. Verify that your web settings do not allow for forced downloads.

 

 

There are lots of ways to protect ourselves at work and at home. The main reason why I focus on the home in my user education is because we can prevent these from work -- to a point. However, when the user goes home, they are an open door. So including user education to go over ways of protecting home environments is as much of a responsibility for the IT team as it is for the users themselves. Once home, the ransomware could decipher that blocked call and take over your machine.

 

We can try to protect ourselves with things like LEM, which alerts you when users come online, and see if their files have changed or are being changed.  However, NOT clicking the "click bait" email is what will ultimately help end-users be stronger links in the equation.

 

I hope this prompts you to raise questions about your security policies and begin having conversations about setting in place a fluid and active security plan. You never know what today or tomorrow will bring in bitcoin asks...

So, I’m sure you're all aware of the Google phishing scam. It, conveniently, presents a few key items that I would like to discuss.

 

What we know, as in what Google will tell us, is that the expedition did not represent an access of information. Rather, it merely gathered contacts and re-sent the phishing email for fake Google docs. Clearly, we need to discuss the key identifiers of how to protect yourself from similar attacks. The phishing emails were sent from (supposedly) hhhhhhhhhhhhhhhh@mailinator.com. Now if that doesn't look fishy, I don’t know what does. Regardless, people obviously opened it.

 

Another critical element is that the link the Google docs directed you to led to nothing more than a long chain of craziness, instead of a normal Google doc location. However, like most phishing, it appears to be from someone you know. So how can we protect ourselves?

 

Google installed several fixes within an hour. This shows great business practices for security on their side. We have to know that there is no one-size-fits-all for security, period. New breaches are happening every second, and we don’t always know the location, intent, or result of these attacks. What we can do is be mindful that we are no longer free-range users, and we have a personal responsibility to be aware of attacks, both at home and at work.

 

So, I'd like to help you learn the basics of looking for and recognizing phishing emails. First, and always, begin with being suspicious. Here are some ideas to help strengthen your Spidey senses:

 

  • Report phishing emails to your IT team or personal email account providers. If they don’t know, they can't fix the issue. They may eventually find out, but think of this as your friendly Internet Watch program.
  • Avoid attacks. NEVER give personal information unless you know why you are being asked for it, and are100% able to verify the email address. Make sure the email address actually matches the sender.
  • Hover over links and verify if they are going to the correct location.
  • Update your browser security settings. Google released a fix for this and pushed it out within hours.
  • Patch your devices -- including MOBILE! Android had an updated phishing release from Google within hours.
  • Stop thinking of patches for your phone as a feature request.

 

We can be our own cyber security eye in the sky! All it takes is motivation and time to be hacked, breached, or attacked, so we must be diligent and not let down our guards. Being vigilant is critical, as is proactively protecting ourselves at home and work by practicing a few simple practices.

 

And another thing: Let's stop sending out our SSIDs at home like a bat signal. There are little things we can do everywhere. Go big and implement MAC address filtering that will determine if anyone is trying to access your Wi-Fi big time. (Take it from someone who has four teenage daughters.)

 

 

~Dez~

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.