Vulnerability Management Realities

Trust but verify

Someone tells you they have fixed something, now go and check! You might find that it is not actually fixed, or that the ‘fix’ made the issue worse (or makes new vulnerabilities appear). You might however also find that the vuln is gone.

Wow so many options, but the reality is with this space is that you have to keep checking, you also need to validate.

Validation is key, people do not say that think it is fixed because they have not done something, we all have scenarios where we make a change, assume it works and then find out later that maybe a bit more testing would have helped (I have this too!). Read more “Vulnerability Management Realities” →

Snake Oil Defence: Defending against lies and false claims

Defenders of the Realm

We often talk about not selling using fear, uncertainty, and doubt (FUD). It is quite a big thing in the cyber security industry where the entire purpose of existence is to help people and organisations manage risk to prevent, detect and respond to impact to confidentiality, integrity, and availability. A key foundational component is that we operate using science, trust, and integrity.

This does however become quite interesting when you look at some rather dubious sales and marketing techniques employed by a few.

What I have noticed are there are a range of patterns that are similar (it is like they all went on the same con artist course!) so I thought I would look at some of the indicators I see which bring up flags to me. Read more “Snake Oil Defence: Defending against lies and false claims” →

The case for hacking back

Weapons Free

Cyber warfare, it may sound like something out of a fictional book or science fiction film but in the modern digital age it is a reality. 24 hours a day around the world there are information wars occurring ranging from civilian domestic style events through to military operated campaigns. Read more “The case for hacking back” →

Incident Response – Web Logs

Knowing where to look is a real important piece of the incident response puzzle. With a large number of incidents involving web servers, I figured it was a good idea to talk about some of the common log files, their locations and some gotchas. We are going to dive into some tech 101 then follow up with how this ties into the Incident Response process (so hopefully this helps if you re more PowerPoint than Bash).

Why do we care about where the default paths are? Well hopefully if you have planned ahead and got a security monitoring solution you won’t have to. But all things start from acorns. A good way to start to understand how logs and incident response tie together are to understand what is needed under the hood. This isn’t a deep dive but more a glimpse. When we visit a web page the webserver should be configured to capture the access logs. These logs are really helpful in an incident involving web services, so where can we find them?

Everything must be agile but is that really always…

A lot of people talk about AGILE but the normally mean ‘agile’ however when it comes to security testing and penetration testing (to me there is most certainly a difference) we need to be mindful of the different approaches, so we select the right one for the context, scenario, and objectives.

In this post we take a brief look at what we recommend for a range of scenarios and we look at the key differences and what some constraints might mean when it comes to approach selection.

5 Major Challenges with Business Digital Security

This is not meant to be an essay, but simply a rapid-fire view of things that I see that are major challenges with digital security in today’s age. So, without any further delay let us hit it:

Change Management 101

Managing Change (and releases)

This is an area that I think some might be interested in. I have worked with orgs of all shapes and sizes and one central area I find people struggle with is change management. I am not talking about organisational change management (that is another) but I am talking about the change of information systems or security controls.

Now you might be familiar with ITILv3/2011 and the PROCESS of change management or you might be in the new practise world of ITIL4 where it is called change enablement, or you might have no idea what I am rabbiting on about. That is ok that is why we are here!

The purpose of change management is (according to ITIL) to help minimise the risk of change for IT services.

Routine Security Governance and Management Activities you should plan…

Security Planning 101

I have been thinking about how organisations manage (or do not manage) their security postures from both a governance and management point of view. To help organisations that are just starting on their security improvement journey I thought I have put together a list of activities they may want to have in a forward schedule document (you could even call it a roadmap). It is not going to be all things to all people and different organisations and markets will have different requirements.

New Year , New You! Securing Active Directory

By default, a ‘domain user’ can read mostly everything in active directory. I’m not sure every sysadmin knows this as I often find passwords stored in the description filed (see the example screenshot, this was from a domain user with no third-party tools leveraged). Read more “New Year , New You! Securing Active Directory” →

Things to try & keep an environment safe

I chose these words on purpose, I don’t think keeping environments secure and working is easy. I don’t think anyone has all the answers, even with massive budgets large organisations fail to keep their data and systems secure. But I do know that by doing these activities we can massively change the game when compared to the security posture of an organisation compared to organisations that don’t do this! So, I thought I’d share some of the things I do to try and keep on top of environments cyber heigine. But to start let’s think about the kind of questions are we looking to answer: