Most recent blogs, netcasts, papers, etc.

Media Sanitization Guide (White Paper, November 19, 2019)

Protecting sensitive information requires attending to where the information is located and used throughout its lifetime. This document guides how to manage sensitive information when the media on which it resides is no longer used for that purpose. These management processes are collectively known as media sanitization.

Media comes in several forms: magnetic, paper, solid-state, and optical. I address sanitization across all of these media types, including how to meet associated data erasure challenges. Further, this guide provides steps and considerations needed to implement and manage media sanitization policies and procedures.


DNS Tunneling Identification and Defense (Paper, October 9, 2019)

Video Version

Domain Name Service (DNS) traffic freely travels across network perimeters and internal network segments. Organizations cannot arbitrarily block this UDP port 53 traffic because doing so would break most, if not all, network communication. Malicious actors (MA) know this and have found ways to exploit DNS for their purposes.

One example of how MA exploit DNS is tunneling. DNS tunneling enables command and control (C2) and data exfiltration traffic for which most organizations do not look or are unable adequately to detect.

This paper helps organizations understand the threat and available defense solutions.


Protect Your Organization from Your Managed Service Provider (September 16, 2019)

In July 2019, dental clinic customers of a managed services provider (MSP) fell victims to a ransomware attack. The attack was initially launched against the MSP and then spread to supported customers[...]

If your organization is planning to engage an MSP, or currently uses an MSP, it's essential regularly to check to ensure the MSP is effectively secure: secure in a way that protects your resources. If the MSP systems and networks introduce too much risk to your organization, and the MSP refuses to change, walk away.


Access Control Models For ICS/SCADA Environments (September 12, 2019)

Access control for critical infrastructure requires moving the perimeter to workloads and managing access based on context. This zero-trust approach ensures access based on user/device characteristics, target workloads and associated risk. In this article, I give an example of one of two general approaches to achieving zero-trust ICS networks.


Use the Purdue Model to Protect High-Value Targets (September 12, 2019)

According to the Proofpoint 2019 State of the Phish report, the number of phishing attacks is increasing. Production/operations networks are the most popular targets. These targets include all industrial control and management systems (ICS), including manufacturing and utilities. Another popular target category includes R & D systems.

Protecting these networks requires isolating them from the higher risk user environments in organizations. Use of software-defined perimeters is an approach recommended mainly by today’s security professionals for achieving zero-trust networks. However, it is not always appropriate for legacy production systems. Many of these systems were implemented many years ago with little or no attention to security. In these and other cases, the use of firewalls for microsegmentation is often a better choice.


The Media Needs to do Better with Security Awareness (August 30, 2019)

The CBS news program 60 Minutes recently reported on ransomware attacks. They did an excellent job showing the impact, but they did a terrible job discussing prevention. If I were not a security professional, I would have thought there was nothing I could do but simply pay the ransom.

This was little value in this approach. The approach of not clicking on links, for example, is not enough to protect an organization from ransomware. In one case reported by 60 Minutes, even the backups were affected. Consequently, restoration of backups is not always a good response when an infection has already occurred.



Microsegmentation: One Step Toward a Zero-Trust Network (August 19, 2019)

Zero-trust network security assumes no network segment is safe. It also switches authentication from user/network to user/application. These two requirements result in shrinking the perimeter to the applications themselves. In ZTN parlance, we call applications workloads.

Placing the perimeters as close as possible to the workloads requires microsegmentation. In this article, I take a high-level look at two approaches to microsegmentation: Palo Alto Networks (using NextGen firewalls) and Cisco’s Application Centric Infrastructure (ACI).


ICS/SCADA Access Controls (August 19, 2019)

This article provides an overview of ICS logical access management challenges and ways to meet them, including network segmentation, risk-based access control and context-aware authentication and authorization.


Lateral Phishing is Strong Lure for Password Theft (August 19, 2019)

Known as lateral phishing, a malicious actor gains control of an internal email account in a target organization. The actor then sends email to other target Lure angler fish with long spiky teethorganization employees, usually to gain login credentials.


Provide Business Value with Security (August 15, 2019)

ISecurity must provide value to the business. Security teams achieve value creation by focusing on service warranty elements when implementing system and network controls, policies, standards, guidelines, and baselines.


Large BEC Social Engineering Attack Demonstrates Need for Secure Procedures (August 1, 2019)

In January, malicious actors stole over $2.5 million from Cabarrus County in North Carolina by sending email posing as a contractor. The lack of secure financial procedures enabled this theft.


Achieve a Zero Trust Network with a Software Defined Perimeter (July 30, 2019)

Use of zero trust networks emables secure access to applications. It shrinks perimeters to the applications and assumes no network segment is safe. This article describes zero trust requirements and one way to start implementation.


Practical Application of System Security Engineering to SDLC Security - Part 3 (June 28, 2019)

In the first two articles in this three-part series, I described the three system security engineering contexts: problem, solution, and trustworthiness. Each of the contexts has objectives we must achieve throughout a system’s life. We use a set of formal processes to achieve and maintain the context objectives.


Practical Application of System Security Engineering to SDLC Security - Part 2 (June 25, 2019)

In the first article in this series, I explained the need for system security engineering and how it works. I also explored the first two SSE contexts: Problem and Solution. In this article, I address the core of the third and final Trustworthiness context: the assurance case. I provide a simple, practical approach and an example case.


Practical Application of System Security Engineering to SDLC Security - Part 1 (June 19, 2019)

Past approaches to creating and managing secure systems are not working. Daily reports of breaches and daily reports describing critical system vulnerabilities are strong indicators of this. A different approach is needed. System security engineering (SSE) applies engineering principles to building system security models. The models are used throughout the systems’ life cycles to ensure changes retain expected risk expectations for both waterfall and DevOps system management techniques.


Define Meaningful Security Metrics (Yes you can…) (June 19, 2019)

You can’t manage what you don’t (or can’t) measure. We know this about security, but many believe it isn’t possible to provide management with meaningful proof that security is working as expected. However, problem definition as part of system security engineering (SSE) provides us with a straightforward way to do this.


Manage the Business Risk of the Web You Don’t See (June 4, 2019)

Knowing what personal information about employees and customers is available to potential attackers helps organizations determine the risk associated with data collected by malicious actors. Social engineering and direct attacks against authentication controls are enabled by services and databases maintained below the surface web. Organizations must understand what information is valuable to malicious actors as well as how and where to look for it.


The Security Challenges and Defense of Hidden Data (May 26, 2019)

Using steganography, insiders can steal large amounts of information, even when under strong security oversight. Steganography also allows the undetected downloading of malware and the post-implementation malicious command and control traffic. Steganography defense requires identifying potential exploit opportunities and implementation of controls to prevent and hinder its use.


The Potential Use of Artificial Intelligence in Cyberattacks (May 26, 2019)

AI is ethically neutral. Both security teams and cybercriminals can use it. As AI improves our ability to secure our organizations, it also improves attacker capabilities: providing better target opportunities with potentially higher rewards.


Vulnerability Management: The DHS Tries to do it Right (May 2, 2019)

Vulnerability management is a necessary process that requires more than jumping through hoops when patches are released or vulnerabilities revealed. Instead, we should follow a documented process to manage associated risk from high to low.


Over 2 Million IP Cameras Vulnerable to Video and Credential Theft (April 30, 2019)

More than 2 million IoT devices vulnerable to malicious takeover. Emotet Trojan uses IoT devices as proxies.


Piracy Streaming Devices Compromise Home Networks (April 29, 2019)

Kodi streaming platform can compromise home networks. Docker Hub database breached. Chrome URL bar hiding.


Never Assume Your Encryption Keys are Safe Enough (April 25, 2019)

KAre your business phones affected by the Qualcomm side-channel vulnerability? The increasing threat of credential stuffing. Do not rely on third-party software testing.


Weak passwords continue to elevate risk (April 22, 2019)

If you think your users have learned what passwords NOT to use, think again. A list of the top 100,000 most common, compromised passwords was published last week by the UK National Cyber Security Centre.


Do you have ePHI on your network? Are you sure? (April 19, 2019)

Organizations not usually considered health insurance or medical providers are still covered by the HIPAA. This is a hard lesson learned recently by a furniture manufacturer.


Digital Doppelgangers Bypass Computer ID Checking (April 17, 2019)

Digital doppelgangers help malicious actors bypass fraud protection. Internet Explorer has easily exploited vulnerability.


Weak Help Desk Security Weakens Overall Attack Surface (April 16, 2019)

Microsoft uses weak authentication for help desk access; do you? Scranos rootkit steals browser-stored passwords and more.


Microsoft Office is the Most Popular Attack Target (April 15, 2019)

Microsoft Office is the most popular attack target. RobinHood ransomware adds late fees of $10K per day.


Phishing email gets through, so manage it: Threats and Vulnerabilities Today... 04/11/2019

Phishing email is the most popular way to deliver malware, and much of it makes its way to your users. Dark web markets include SSL/TLS certificates as part of overall attack solutions.


Samsung Galaxy S10 fingerprint scanner hacked: Threats and Vulnerabilities Today... 04/10/2019

Samsung Galaxy S10 ultrasonic fingerprint scanner fooled by 3D printing. TajMahal APT steals your information in new ways. A “Best of 2019” list of password managers.


Millions of Verizon home wireless router networks at risk: Threats and Vulnerabilities Today... 04/09/2019

New snatch-and-grab malware now available on Russian black-market sites. Millions of Verizon home wireless router networks at risk. Signed Exodus spyware targets iOS users.


TrickBot trojan continues as biggest business threat during tax season: Threats and Vulnerabilities Today... 04/08/2019

Bootstrap-Sass for Rails latest software supply chain target. TrickBot trojan uses tax season to lure business users. Mirai bot software can run on an increasingly higher number of IoT devices.


Free threat assessment for medium and large organizations: Threats and Vulnerabilities Today... 04/05/2019

Free threat assessment for organizations of 300 or more connected devices. Employees’ home networks should always be considered hostile to their employers’ networks.