Jon's Network

Upcoming Data Connectors Conferences

Jon — Tue, 06 Mar 2012 08:01:38 +0000

I am sponsoring a couple of upcoming dataconnectors shows. John Bisaillon of Digital Scepter will be demonstrating how to rapidly find threats, malware and indicators of compromise across the network in seconds. Where other tools might take hours or days to collect data from tens of thousands of nodes, Tanium will find them in seconds. You could make changes just as fast. We’ll be demonstrating how this can impact your security processes.

For San Diego April 12, 2012 register here: For Orange County June 07, 2012 register here:

RSA Conference 2012

Jon — Mon, 05 Mar 2012 16:34:43 +0000

RSA 2012 was my first RSA. I used a vendor code to get an expo-only pass. I’ll be attending again since it’s a good chance to visit vendors, customers, prospects and online buddies in a short amount of time.

I had the chance to speak briefly to Richard Bejtlich, whose NSM principles we borrow from at our company when giving advice to customers. I recently revived my interest in metrics so I asked about metrics. He said to track two metrics: incidents per unit time and elapsed time to resolution per incident. An incident is whatever your organization thinks it is.

I was as a breakfast on Wednesday morning with a panel of about 8 CISOs from large corporations. Afterward I asked a couple of them which KPIs they use or have developed. I know the sample size is small, but it appears that they all develop their own indicators and don’t share with other CISOs or are in the process of developing them. The reason for this is no company wants anyone to see how much money they spend on security or risk they tolerate compared to their peers. Seems to me that they wouldn’t be giving their peers any advantage but perhaps there is a social stigma to sharing this stuff – like admitting you have herpes.

During the breakfast, a few of the CISOs also mentioned that security ROI is a waste of time and just to look at TCO. I’m of the opinion that you can’t avoid at least a gut ROI calculation. If you calculate the TCO, then decide it is worth purchasing, you just calculated the ROI right? My need to call it something else since it isn’t an investment per se. Paying for security is usually trying to avoid a probable loss. Like paying extra for a car with airbags

These same CISOs also said quantitative risk management is a waste of time and unnecessary. I don’t think you can escape at least a gut risk calculation and that the quantitative and qualitative are just different ends of a spectrum rather than binary options.

Finding pcAnywhere in your Organization

Jon — Fri, 27 Jan 2012 14:36:06 +0000

Symantec announced that hackers have had the source code for remote access software pcAnywhere since 2006. It can’t be trusted until they issue a patch. Some organizations may be anxious to see how many of their machines have pcAnywhere installed. If you have an application aware firewall like Palo Alto Networks, you can see if there is pcAnywhere traffic on the network easily. To find out where it’s installed but not in use, most are probably using software like Altiris, Tivoli, etc.

One tool that can find pcAnywhere (or any software for that matter) is Tanium – and it can do it for you in 15 seconds. For example, you could ask a question looking for a file or registry key and the endpoints are directly queried and the responses come back in 15-30 seconds, even if the machines are scattered around the world.

It’s great for tiger teams doing incident response.

Tanium

Disclosure: Digital Scepter is a Tanium distributor and a Palo Alto Networks Platinum partner. That means if you’d like to learn more, you can hit me up at (888)299-3718 or by email.

Note on M86 Authentication

Jon — Sat, 05 Nov 2011 00:00:42 +0000

M86 authenticator and web-based authentication should work fine side by side. If you are using web-based authentication ONLY for ipad/iOs devices, then use Tier2 instead of Tier3 as it does not include Java Applet. Instead they configure authentication session retention time in the filter i.e. keep profile active for 60 minutes once authenticated. In WFR 4.2, you will be allowed to select Tier 3 Web Based Authentication so PC/Macs running java can leverage the session based authentication, while iOS/Android devices will fall back to the Tier 2 setting.

Here’s what you need to know about WF Web Based Authentication:

http://www.screencast.com/t/6aNS7CNxOyi7

TinEye

Jon — Fri, 21 Oct 2011 03:38:19 +0000

TinEye

TinEye is a reverse image search engine. You can submit an image to TinEye to find out where it came from, how it is being used, if modified versions of the image exist, or to find higher resolution versions. TinEye is the first image search engine on the web to use image identification technology rather than keywords, metadata or watermarks. It is free to use for non-commercial searching.

USB to Serial Driver for Mac OS X Lion

Jon — Wed, 19 Oct 2011 04:14:31 +0000

I use and highly recommend MacWise for connecting to network devices via a console on a Mac. The driver I had for the USB to Serial device I have stopped working after my recent upgrade to Lion. The following fix worked like a dream:

OS X Lion PL2303 Driver

Find Files with No User or Group

Jon — Sat, 20 Aug 2011 23:21:30 +0000

This command can yield some interesting information:

find / -nouser -o -nogroup

Learned about it while playing with NeXpose today.

Mobile Security Webcast

Jon — Sat, 16 Jul 2011 05:29:14 +0000

Here is a recorded webcast by Daniel Miessler:

http://t.co/Zf5GhL8

Bank Robbery Analysis

Jon — Thu, 14 Jul 2011 06:31:08 +0000

Interesting article that applies the OSSTMM to a famous diamond heist.

http://www.isecom.org/Bank_Robbery_Analysis_OSSTMM3.pdf

Internet sales tax: Online retailers to start collecting sales taxes in California

Jon — Thu, 30 Jun 2011 23:24:23 +0000

Well, this just sucks.

http://www.latimes.com/business/la-fi-amazon-tax-20110630,0,4344787.story