Risk management is easy! Isn’t it?

Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….

Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.

I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world. Read more “Risk management is easy! Isn’t it?” →

Cyber Security Architecture

I remember (now it was a long time ago) when I worked in a support role and my dream job was being a technical architect, back in the warm and fuzzy days of no host-based firewalls, IPsec being something only MCPs knew about other than the networking team and when cybercrime was a shadow of how it is today.

It wasn’t until I had a few more notches under my belt when I realised that architecture in technology has different viewpoints, not only that but even the industry can’t agree on what things are or are not. That aside the reality is, is that architecture has different domains, specialisms, views, and viewpoints. I often find myself working across a whole range of areas, that is driven largely by specific customer requirements and scenarios (this is why I have a cool lab and lots of kit!)

When we consider a business technology system it has risk and by nature cyber security in that view. To think of this not being the case would be odd because ultimately “business” is the highest abstraction, and let’s think about what makes up a business: Read more “Cyber Security Architecture” →

Measuring Cyber Defence Success

What does “good” cyber security look like? Sure, we can run a maturity assessment and see what good indicators are and we can create a baseline of our current state to establish where we are and what gaps we have (honestly in real terms this isn’t something to consider you should be doing this!) but how do we measure success in cyber security? Is every success an invisible outcome? Because one question that often comes to mind here is, just because we don’t see something, does that mean everything is ok? In the fast-paced world of cyber security, measuring success isn’t as easy as you would think. I’ll give an example of this, let’s say we don’t monitor, we get breached, but the threat actor just performs crypto mining (let’s say this is on premises) and we never really notice in the grand scheme of the world that our energy consumption costs have increased, if we didn’t know this had occurred, we might think our security is good. Read more “Measuring Cyber Defence Success” →

CAF Workbook

Undertsanding the current state of cyber capability maturity across an organisation is no simple feat. The team at NCSC have created a really good set of guidance with CAF. With all things there’s different ways on consuming, understanding and leveraging good practises.

I often find have XLS workbooks incredibly valuable when looking at indicators of good practise inside organisations. With this in mind, I started to put the GAF indicators into a workbook. This isn’t complete yet. It needs refactoring so it can be pivoted etc. It also needs some parts added for metadata capture and analysis.

I’m publishing this because sitting collecting virtual dust is probably the least valuable thing that can occur.

Hopefully this is helpful to people, even in it’s current half baked state. I’ll and complete this at some point!

What if not everyone is a cyber expert?

Developing a Cyber Roadmap

Ok so this topic comes up a fair bit, but organisations and their management are often looking to ensure they are doing the right thing (no really this is a common phrase I hear with organisations) with regard to cyber security. THe challenge I think quite a few people have is even understanding what that even means. Sure you have a firewall, and antivirus and you had a yearly peneration test of a site that isn’t even touching your corproate network. You thought you were fine, but you keep seeing organisations get ransomared in the news and the board keep asking “are we ok?” so this then leads to a common position of maybe buying more widgets or thinking, well we haven’t been “hacked” so we must be doing ok.

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

Asset Management
Risk Management
Patch Management
Change & Release Management
Security Testing
Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

Scope
- Asset/Hosts
  - IP Ranges
  - Hostnames
- Connectivity
  - VPNs
  - LAN/WAN
- Device Types and Configuration
  - Domain
  - Workgroup
  - Appliance
  - ICS
  - Printers
  - Network Equipment
- Unauthenticated View
- Authenticated View
  - Auth Types
  - Protocols
- Scheduling
- Authority to execute
Impact
- Performance
- Availability
- Confidentiality
Objectives and Outcomes
Reporting
- Information Flow
- Report Storage and Confidentiality

Nine to Five in a digital first, always on…

We never used to have to worry

As technology becomes more and more embedded into our lives, into our businesses and into our realities, you must wonder why it’s so hard for some to adapt to the changes this brings.

With more connectivity, with more services online, with more systems connected and with people wanting always on, always available services you must consider the realities of technology management in today’s world.

Is it right to expect your systems to be online 24/7 365 days a year? Do your staff want flexibility? Do you operate services which are exposed to the internet? Not only is keeping the services online (and well maintained) a consideration, how do you keep them secure?

System security is probably viewed by many still as something that a monthly hotfix or upgrade looks after. Unfortunately, whilst that might be “got by” in the 90s and early 2000s the reality is that doesn’t work anymore. Read more “Nine to Five in a digital first, always on cyber hellscape!” →

Cyber Strategy Magic

Strategic this, strategic that

People band strategy around like it’s some sort of mythical beast that requires no knowledge of the subject involved but is done by wizards and executives (it’s just done by people, but I digress) so I thought I’d talk about strategy development.

Now forewarning you might come out of this post thinking… there must be something else… something you are missing as Dan’s not showing any secret magic…. Often what is commonly lacking when looking at strategic execution is effective communication, consensus, and marathon like commitment to deliver on said goals and objectives. Why? Because that part is really, really, hard, if it wasn’t we’d all be sipping Bollinger in the Bahamas.

Know the business

If your first thoughts are to run to Sun Tzu or grab an ISO27001 document then you should probably pause, grab a tea, and take a breath. In my experience cyber security is:

Not a war
Does not require anything to do with the military
The answers are not simply in a book or standard document

People often think that a framework, guide, or standard will give them the answers. Sure, they are often useful tools to help, hell the domain of cyber is broad as hell and there’s so much to do and often so little time, so job aides and not re-inventing the wheel is a good thing, that doesn’t however just mean that with documents you will be in a good position. Read more “Cyber Strategy Magic” →

Penetration Testing

Overview

Penetration testing is the activity of conducting security testing with the aim of identifying and exploiting vulnerabilities to identify strengths and weaknesses. I include strengths because I believe it’s important for security testing to promote both positive and negative findings. I also think that there is a huge mis conception with what penetration is, what it helps with and how to best get value from a penetration test.

My definition isn’t too far from the NCSC one: https://www.ncsc.gov.uk/information/check-penetration-testing

A penetration test is a security assurance activity, but it’s one of many activities that I recommend people conduct. This is however largely only adopted by the few, for many a penetration test is a compliance tick box, either from a regulatory or contractual requirement.

When looking at a system a penetration test is not usually the most efficient starting point, especially if it’s from a black box perspective. Read more “Penetration Testing” →

There’s never any time – A mRr3b00t Adventure

Introduction

I’ve been working with technology and its security for a while, I have travelled to different parts of the world, I’ve worked with major organisations, and I’ve worked with a whole range of organisations both from strategic advisory and at the coal face perspective. Now over the last twenty years I thought about how much has changed… and honestly, I don’t think much has.

Technology innovation, miniaturisation and adoption rates are through the roof, but I still see massively similar patterns. I’m not going to try and quote statistics, but I think it’s a fair to say the threat landscape has changed somewhat (for the worse!)

Back in the 2000s era we had networks running Windows 2000 and Windows Server 2000/2003, we had clients with open services which could largely be accessed from anywhere on the network. We had host-based firewalls from third party vendors, but these were rarely implemented, MSBlaster and Windows XP changed this dynamic somewhat, to say things haven’t improved on one front would be a lie, however the level of crime and access to technology globally has changed massively. Read more “There’s never any time – A mRr3b00t Adventure” →