It's amazing what people still do over the wire

Blog Updates

Raising the White Flag - Bypassing Application Whi... » Foreground Security's Sr. Incident Handler and Mal...

Infoblox NetMRI 6.2.1, 6.1.2 and 6.0.2.42 Multiple... » ================================================...

Joomla ALFContact 1.9.3 Extension Multiple Cross-S... » ================================================...

Authenex A-Key & ASAS Web Management Control 3.1.0... » ==================================================...

Casper Suite - JAMF Software Server (JSS) 8.1 Cros... » ==================================================...

It's amazing what people still do over the wire » Ever since I started working in network forensics ...

Perspective on Pentagon "Pwnage" » Last night, Daniel Kennedy posted on his blog abou...

Embrace Murphy's Law » "Anything that can go wrong will go wrong." -Murph...

Adobe Responds... Sort Of » Cross-posted from Skeptikal.org Adobe has publi...

Flash Origin Attack FAQ » Cross-posted from my personal blog. Okay, peopl...

Monday, 21 May 2012

IT Security Training

Quick Contact

It's amazing what people still do over the wire

Ever since I started working in network forensics and integrity, I noticed the high amounts of malicious and inappropriate things that travel across the wire. This is not anything new but I think people disregard most of it. They shrug it off and accept the incidents and events as reasonable. Maybe they don’t and are actually trying to do something about it but there are just too many to stop. The most common answer I hear is that I have nothing worth stealing. Oh how ignorant. Regardless of the reasoning, it is still a large problem. I do not believe there is a perfect solution to fixing the issue but it needs to be dealt with since you really do not know what is coming in and leaving your network. There are two big areas that I think need the most focus, data loss prevention (DLP) and malware.

I have found that user ignorance is a common theme through my exploration of network integrity. You can give user’s training class after training class but some of them either refuse to become self-aware or prefer to stay ignorant. They will still send their passwords via unencrypted channels, use sites with self-signed certificates, even post their personal documentation openly. Why they do this, who knows, but it needs to matter to someone. The passwords could be passwords to an internal firewall or domain administrator account; that unsigned certificate could be a man-in-the-middle attack; or their personal information could end up turning into blackmail. Whatever the method of data loss, it poses a threat to any organization.

A few of the ways I have combated these events, though I cannot stop the all, is by writing deep packet inspection parsers and basic network integrity monitoring on a SIEM. I am sure we can agree that there is sometimes too much data to look at it all. You can stop unsigned certs from completing their connection outbound with an apache web proxy or a vendor solution. You can sniff for keywords to find passwords, SSN’s, credit cards, etc. with packet inspection parsers or IDS signatures. If DLP is an important issue and you would like to test s. Sign some of your sensitive information with a unique string of hex code. Create a parser that searches for that particular hex string during deep packet inspection. That would give you an idea of how your sensitive information is flowing internally and if it flows externally.

I’ll be taking aim at the next area I mentioned previously, malware, so stay tuned and check back when you get the chance.

IT Security Training

Quick Contact

Risk Management and GRC

Security Audit and Testing

Software Assurance

Security Architecture

IT Security Training