Categories ArchivesEnterprise Security

Guest Post: Functionality and Benefits of WAF standard

The following guest post was provided by Ben Henderson, CISSP from Ensure Networks. Email him here. You can download the full paper here. The foremost functionality of a WAF is to secure web applications against application layer vulnerabilities. WAFs can be hardware devices or software that is deployed to monitor and protect web traffic. WAFs have the ability to enforce default and custom configured policies for browser to server transactions. They are similar to network firewalls on in the that WAF policies generally apply to IP addresses and ports. However, WAFs inspect HTTP traffic to normalize the data in the headers and URL parameters. They employ a variety of functions and work in parallel with IPS technology to enhance the ...

Continue Reading

Guest Post: Virtualization Makes Everything Easier – Including Burning Bridges standard

The following guest post was provided by Richard Rees, CISSP, a Practice Manager for EMC Consulting’s Virtualization Security and Cloud Trust group. Email him here. The best thing about computers is they do exactly what you tell them to do, very quickly.  However, the worst thing about computers is that they only do exactly what you tell them to do.  I’m still waiting for an OS that contains DWIM code (Do What I Mean) without the evil of Clippy.  Virtualization is the same thing – except even faster over a larger scale.  Instead of computers needing DWIM capability, entire data centers need them.  This applies to security as well – the traditional problems of security in a data center exist in ...

Continue Reading

Guest Post: Getting Management to Buy into ITSM standard

The following guest post was provided by Erin Palmer on behalf of the online IT service management programs from Villanova University. Fore more info, check out Villanova online education courses. Despite large amounts of data and case studies singing the praises of ITSM, there are still managers reluctant to adapt to a change toward an ITSM system for a variety of reasons, including:            Time:  Managers generally think in the time frame of quarters, not six months or more.            Risk:  Managers see too much risk in a process where results may not be immediate.            Cost:  Cost benefit analysis may be a hard sell since initially the investment cost may be significant and the ROI will take place over ...

Continue Reading

DNS Query Logging—Looking for Fires standard

Yesterday morning I was catching up on some RSS feeds1 and came across this interesting post from Trevor at ThreatSim entitled Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now. After reading it, I had one of those “Ah-ha” moments where I looked at one of the recommendations and asked myself, “Why am I not doing that?” For those of you who know me (or have ever had to get on my home WiFi), you know that I have made my home network entirely too complex for what I need it to be. Three different DMZs is a little insane, don’t you think? But I did it for a reason—so that I can talk ...

Continue Reading

What Does IT Provisioning Look Like? standard

The title for this post is only funny if you read it in the voice of Jules Winnfield asking Brett to describe what Marsellus Wallace looks like. If you can get in that mindset (I can’t link to it, you just have to get there on your own), then this will be more effective. Imagine for a second that you are the CIO of a company (Jules Winnfield), and you are trying to build some information security features into the systems you are responsible for keeping up and running. You go to your CISO (Brett), or maybe the sales rep of the infosec vendor, and ask them how their product works in the new model of IT provisioning and operations. ...

Continue Reading

Anatomy of an Attack Critical Security Checklist standard

If you have seen me speak over the last couple of months, there is a good chance you heard me talk about advanced threats, sometimes in the context of the RSA breach. Near the end of these talks I either flashed up a slide that had a checklist of things detailing changes we made, or people asked me specifically (like what happened at the Evanta CISO Summit in San Francisco on Monday) what things we did to bolster our security. For those of you who have asked for access to this slide, I’ve gotten permission to post our Security Practices – Critical Checklist here. Enjoy! Possibly Related Posts: What’s the craic on KRACK? More Printer Security Talk That Printer is ...

Continue Reading

Ditch the Value of Information Equation standard

And now, on to one of the biggest challenges we face while having information risk management discussions: What is the value of information? Information by itself doesn’t have tangible value. It’s value is subjective. Everyone has their own opinion, and many people manipulate the values to serve and twist their message. In fact, the only thing you can really come close to arguing is the value of the medium upon which the information exists. Be it a hard drive, jump drive, or a piece of paper, those things have some kind of agreed-upon value. But the information itself? Imagine for a minute that you are charged with protecting a pile of cash totaling $100,0001. Because our financial system is based ...

Continue Reading

What Does Your Perfect Setup Look Like? standard

The uses and appearances of information technology has changed dramatically over the last ten years. And the ten years prior to that, and the ten prior to that. It’s amazing to think that the devices most of us carry around in our pockets are more powerful than some desktops twenty years ago, and more powerful than rooms filled floor to ceiling with computer hardware forty years ago. The use cases have changed as well—so much so that we have monetized IT to the point where we cannot conduct business without it. Protecting our IT systems isn’t just a “nice to have” anymore, it’s required to protect the investments entrusted to us. Ten years ago phones were phones, and you had ...

Continue Reading

Collateral Damage is One Click Away standard

Social engineering is now recognized as one of the top threats to enterprise security. I think we all have had side conversations with security leaders inside companies validating this concept for years, but not until recently have we seen it pass other threats in such a public forum. Those same security leaders have struggled with mitigating the threat because they instinctively jump to a Draconian view of information security policy enforcement as the only solution. It certainly would be effective in some ways, but morale would plummet and the creative technophiles would find ways to free themselves from such Athenian legislation. The irony is that many of these controls are not only designed to protect our information assets, but also ...

Continue Reading

Exploiting Human Trust and Complacency standard

I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency. I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful? Before we delve into that, ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!