Naturally Secure Windows Machine

How to utilize native Windows security features to get beyond all the tools in the market?!
Windows Security Monitoring: Scenarios and Patterns
Dig deep into the Windows auditing subsystem

Most of the times ‘extra tools’ are just for doing things in a different way, perhaps more convenient, but not necessary in a better way, or more effective, cheaper or faster way and Windows is not an exception. Speaking of Windows security features, all the features we need are already part of operating system, they are either initially included or later provided by Microsoft. There are exceptions, but only when we are looking for a totally different structure, a very unique extraordinary situation, and that is where what we want is behind the Windows native features and capabilities, so we have to add something to the kernel or expand the API.

Windows 10 for Enterprise Administrators
Enhance your enterprise administration skills…

Windows Firewall and power of Micro Segmentation, EFS and power of Windows native file-level encryption, basic Access Supervisory via powerful native to kernel, Windows Event Monitoring and Sysmon, Group Policy and world of unlimited capabilities, PowerShell and unexpected security administration possibilities… and many more unleashed Windows features are already there, you just need to utilize them before thinking of buying a new tool!

In following articles I will explain how to unleash Windows native security features before shopping for a tool. Even though tools might be free, why add anything to Windows when it is already packed with most of the necessities? Let’s get through the basics briefly:

Zyxel ZyWALL (USG) UTM Firewall
Perfect for small offices…

Windows Firewall provides all you need as the cheapest and fastest host-based firewall for Windows. It does not matter if the target machine is part of a corporate network or small office or home computer. Most importantly, it is very easy to utilize it as part of your micro-segmentation and see how you can reach the effective filtering and totally eliminate lateral propagation of malware in a large scale network. But if you ask me why administrators ignore Windows Firewall, I have no explanation unless admitting that beauty of third-party firewalls totally blinds them!

Encryption in a Windows Environment
encryption is nothing new to Windows…

Encrypting File System (EFS) is a powerful file encryption which surprisingly has been ignored among new generation of IT administrators. Perhaps ‘encryption’ is enough scarry for most of IT staff to deal with so they decide to rely on third-party colorful tools, but I will show you later how to use EFS as the integral part of ACL and take your access supervision to next level!

We will deep dive into one of the most effective monitoring extensions of Windows, Sysmon, and see how a couple of extra megabytes can change the scope of Windows Event audit trial, needless to say Windows event log is a quiet piece of intelligence where all those shinny system and network monitoring tools are relying on, and if we add a little bit of AI to it how a free SIEM could evolve from it!

Master PowerShell Tricks
41 chapters of intense PowerShell learning…

The point is, Windows has enough native tools to touch almost anything you want in terms of security, and for some hidden tiny tweaks we could always get into Registry, at least we won’t be worried about extra security vulnerabilities result of introducing new tools to environment, so why not get more familiar with the operating system and get maximum benefit from its native security features and capabilities? Then some day if you had a very specific requirement which Windows was not capable of providing it, you could consider using third-party tools or even switching to a whole new operating system!

Security Program: How To Thrive?

From struggling or hardly surviving, to a fully supervised and manageable security program…
Cybersecurity Program Development for Business
what cybersecurity risks are and the decisions executives need to make…

Most companies are struggling with running an smooth security program. No matter how much they are spending on that, the difference is really not that much. From zero budget to million dollars security budgets, they still do not have enough trust in their security program. Regardless of how much they are spending on security initiatives, they never really have confidence and are not expected to see positive and reliable result of their investment.

Adversaries are finding new ways to hurt online businesses every single minutes while tech gurus are creating “solutions” to address today’s challenges within months, years and sometimes decades after the fact!

We simply are only trying to survive in cyberspace, but what could we do better to thrive, in a stronger position, where the security is not a hassle anymore, and it should not be the heart of the matter too. Let’s look at some practical countermeasures:

* stick to a management system

Security Operations Management
reference on corporate security management operations…

For a moment forget about technology and tools and get back to basics. A management system could totally fulfill whatever you need in terms of handling processes and not being worried about base of your operation. You can invent the wheel again or you can choose from thousands of management systems, but first ask experts which system fits your needs or bring professional on-board to implement a system fully customized to your work flow from scratch, also believe me, without a management system of any kind and approach, you will be still at the first step after years spending your precious time, which is that “surviving” approach.

* set objectives

any project has a set of goals which are measurable and achievable. Objectives are neither like: having a more secure network…or, setup RDP filtering on firewalls…there are more like reducing current number of entry points to network…or, assessing current remote protocol insecurities…

objectives help you better understand what are trying to get from your management system, and where resources have to be focused. This topic is also related to Risk approach which I think is the fundamental and background of the management system.

* constantly measure

These are checkpoints where you can tell precisely and by evidence if you are on the track, and the more you measure and automate the process, the more you get close to a proactive system and faster accomplishing each of objectives. Through measurement you can tell of direction is write or wrong, or what is wrong or right.

* plan for corrective and preventive actions

with each measurement you need to define corrective actions if the result is not expected or the pace is slow, and the plan to enforce these corrective actions is the key to a smooth security program, otherwise you will be struggling with past actions while new ones arrive.

* be responsive to facts not fictions

computer security industry is full of fictions, and we mostly spend time and money on things which are either not important or can be tackled from root, so let me give you an example:

taking Advil when
you catch flu is just a pain killer, only for passing time without
suffering from flu symptoms, just to survive, because we do not know
how to handle flu virus in 21st century (or maybe we know
but we don’t want to disclose?!), and that is similar to running a
virus scan on your network when you get a virus infection!

Cyber security facts have not been changed since the beginning of this subject in human history, so once you know about the facts you see how it is easy to address them without Advil!

Complexity: The Hidden Monster behind Insecurity

No doubt that companies struggle with information security these days. Today they spend hundreds of thousand dollars, some millions, tomorrow they realize they have done nothing! Security folks do not have peaceful night sleep, because they know what they have done during the day could easy be compromised!

Regardless of why we are spending money while we are not certain or confident to an expected outcome, why solutions really getting more and more useless and ineffective? The answer is the hidden monster behind all insecurities within information technology: the complexity beast!

Complex systems introduce complex work flows which are prone to intensive security flaws!

Complicated systems (which are also prone to insufficiency) introduce complex work flows and a model which is naturally prone to have more flaws, result of more surface for the attack and more attack vectors with combined magnitude and even unexpected new evolved way of attach. This is not fiction, this is the dynamic of today’s cyber security trend. You hire, you purchase, you train, you consult… you do your best and still you are not confident cause your neighbor company just had a breach and you will be more scared if you have pro visibility and see how malicious actors are already in-house!

Traditions have proven outcome already messaged, although market hesitate to listen, let alone to follow!

Lean Software Development: Efficient Deployment Strategies
Do you want to cut waste all across your deployment strategies?

Fancy systems are more attractive to adversaries also, and there is reason behind it because they know how the chance of finding a flaw is exponentially higher when they see a fancy colorful IT infrastructure vs a clunky system out there. The worst part of this is that, customers of that fancy information system do not necessarily get better services or goods (products) even they pay more for it, they are also prone to lose more due to a complex system as backend, but that is another story with its own sad ending.

Complex software and hardware build complex systems

Clean Code: A Handbook of Agile Software Craftsmanship
Even bad code can function. But if code isn’t clean, it can bring a development organization to its knees…

Complex systems are built around complex software, hardware and literally a complex IT setup where a given goal is accomplished through a complicated workflow, and this is either result of poor design, or just excess resource assignment where it is not needed at all. There are millions of examples you look around, or better, start by your own business or department you are managing:

  • Do you think all businesses need Windows platform to run applications?
  • Do you think you use even 20% of Outlook features and capabilities?
  • Do you think most website owners need PHP vs simple HTML?
  • Have you ever walked to your company server room and ask your IT guy why things are setup like that?
  • Have you ever tried simpler software vs the one with more features?
  • Have you ever shopped based on what you need vs what has higher score reviews?

Those are just goofy questions just to fire up the real flame inside you which makes you as yourself: should I really totally trust people that are running my IT infrastructure, or I could use my common sense and just question why I need these complex system? What workflow my business really need and then what simple system is out there to support my workflow regardless of what market is pushing me to buy.

Complex system setup puts us in more trouble when we start securing it with the consistent complicated mindset, and that’s where we could end up having more insecurities after spending and relying on sophisticated security solutions. Experience has shown and proven that the simplest way to address security is designing and implementing a simple system, an straightforward workflow is naturally secure, or easier to secure with even free or cheap security solutions which are easier to maintain, manage and run, so the outcome is more secure and cheaper and more reliable and efficient.

Tips To Buy And Implement SIEM Solution

Use following checklist to make sure you are on the right track to choose your first or next SIEM solution. The whole process takes 1-4 weeks based on your dedication and vendor availability. Remember the worst thing is being in rush in five four steps:

  • Write a plan

Write down all the steps you anticipate and maintain documentation and progress during all stages. Put rough deadlines and start communicating to stakeholders.

  • Justify the need
Security Information and Event Management (SIEM) Implementation
Effectively manage the security information and events produced by your network…

This will help you have a better understanding of criteria later but generally, i would recommend this for any type of information security project. This step will assure you are not going to have SIEM just because it’s out there or even just because you have some spare money and other resources to spend.

You would ask yourself or your IT team, even your manager who has assigned you with the task: why we need SIEM? What type of problem is going to be resolved? What our world will look like after SIEM? Is this for sake of compliance, customer expectation, market urge, or as an enhancement to visibility of your environment.

  • Scope

Scoping gives you more understanding of the environment. Specifically with a concept like SIEM, the moment you start thinking about scope, you realize how much you might be behind the preparation of your environment.

  • Budget based on Risk

Budgeting based on your pocket is like overeating by intention when you know it’s bad for you. Budgeting without risk consideration will neutralize all the other steps. I consider this step so fundamental and ignoring it shows there is no understanding of the whole subject of information security within an organization.

A simple risk assessment can give you the right budget, but unfortunately that assessment most of the time does not exist so you have to create something from scratch just to support SIEM budgeting. We need to assess risk of not having enough visibility and detection in certain areas of IT operation and evaluate the risk factors. Once you start this process you will realize how most SIEM solutions in the market right now are naive and designed with a narrow vision.

  • Define criteria

During previous steps you should be able to compile criteria list. The more precise criteria, the easier to choose vendors initially. Without criteria there is no meaning to even browser a vendor website. With having criteria in hand, you easily check them in and out in next step.

You should compile a list of things like what is the primary objective, compliance, risk or threat management, architectural things like is it going to be managed or self, on-premises or cloud, interface and performance, type of log and data collection, integration considerations, correlation capabilities, intelligence feed, how about remediation and response and…

  • Identify targeted platforms

First you need to list SIEM vendors, there are tons of them out there and don’t think that good SIEM is a matter of how long a company has been doing this or how the brand is known, although this could be part of your criteria because vendor reputation is somehow a big factor, but do not confuse it with brand, not all know brands are necessarily better. Research and learn from vendors, we need to read all the white papers they provide and if they are not willing to share via website, it is not a good sign but don’ be discouraged and go for a meetup. Here is an staring list of vendors/solutions:

AlienVault, Cygilant, EventTracker, HP, IBM, LogRhythm, McAfee, NetIQ, Proficio, Rapid7, RSA, Solarwinds, Stratozen, Splunk…

…remember all are good and all are bad, it depends to your criteria.

  • Meetup with vendor
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan
Any good attacker will tell you that expensive security monitoring and prevention tools aren’t enough to keep you secure…

Nothing is better than a short call, if you get the signal, go for a video presentation and have them demo. Never direct vendor, let them manage the meeting and content, listen to their question and start your evaluation from first call. Most vendors do not reveal anything alerting with email or regular phone calls so insist to have a demo and meet their technical team. Ask about your criteria but in the meantime listen to what and how they reveal. Based on your situation you may be more focused on how they execute or help you setup and run on-premises.

  • Lunch trials

Trials are best time and tool for evaluation, also it’s a sign of how much a vendor is comfortable and confident. I personally would not even thinking a solution if they are not willing to give a chance to try. Trials are not just for finding glitches, they are mainly to refine your criteria and turn expectations to real world scenarios. Always let vendor know if you go for a different one, you will never know what is going to be the next time to call them so be professional and respect marketing manners.

  • Evaluate

Now it is time to evaluate. Materials, meetings and trials, most of the times you get the answer by first 3-4 days of trial. Justify if you need to compromised any predefined criteria and never hesitate to re-define and refine new one but never forget justification. You have to sometimes re-assess a risk if you need to revise your criteria.

  • Prepare environment

Jumping in implementation without preparing your environment is not a good idea. Now it is time to go for all details and technical requirements which you should have planned for during scoping. Prepare VMs, Cloud apps and smallest things like SNMP and Windows Event Forwarding, this is the time for your technical team to show off. You should not have any problem if scoping was rational, but most companies have multiple issues in this stage because of lack of scoping in early stage.

  • Implement

Meet the deadline and kick off, this is going to be a big milestone with your IT Security operation.

  • Tune

Noise is the nature of SIEM so consider tune up based on size of the company and/or scope of system. This should be part of your baselining process anyway (if you have), without proper baselines your team will be confused and stresses for a longer time.

  • Leverage

What is going to happen after this is what you should have seen and anticipated during your planning phase. Whether your team is going to tackle other tasks by adding SIEM, or it is going to be independent or… all depends on your plan. Never accept something from a solution/vendor as a ‘want’ or good to have, unless there is an actual ‘need’ for it.

Stay tuned for explanation of a fully native free SIEM, security information and event management system, a solution for 80% of environments!

Vulnerability Management Elements

being able to dynamically connect and correlate data to different part of a vulnerability management interface is crucial.

Precise vulnerability management if one for the key to an agile security program.

Among non-technical but crucial elements like methodology, system and workflow behind your VM, there are some technical aspect which can totally change the outcome of VM. these easily turn your VM to a reliable management system.

being able to dynamically connect and correlate data to different part of a vulnerability management interface is crucial.

Interface!

Colorful interfaces for vulnerability management solutions are getting more and more common nowadays. Interfaces could simply distract us from main purpose of vulnerability management, or they could force their potentially lame “understanding of an standard VM process” to us and replace our very customized approach,. But regardless of their positive or negative impact on the process, they are the main element of a VM solution.

Penetration testers or operators of these VM software are solely relying on what is provided via user interface, and seeing what is happening in back-end is either impossible, or very limited. This is so different than first generation of vulnerability management solutions where operator was certainly who set the system up and configure and due to tools and techniques, s/he had to know what exactly is happening in back-end, as there was not any colorful front-end.

What we need to have in a VM interface and how it has to be linked to all aspect of the system are different stories, but for now just remember that interface to a VM is not like a normal user interface. If you cannot dynamically connect and correlate the data there then it is useless. Perhaps next generation has more AI involved but as of today you need to be able to change objects and their correlation, and be able to see what is happening behind the scene. Otherwise you better stick with a fully manual VM system.

Scoring

Everything is about scoring aka Ranking. It is considered ‘blind’ assessment If you do not rank based on a agreed scoring system. But does not mean CVSS is the solution.

Common Vulnerability Scoring System or CVSS has been playing the role of a defacto standard for ranking security vulnerabilities and version 3.0 has significantly better but far from a reasonable scoring methodology.

In practice, vulnerability assessment has to be done with very specific considerations of the target system. This includes the software slash client application, operating system, user privileges, network protocols and services… and dozen of other factors which all together affect the way a system can be exploited with presence of that specific vulnerability.

A CVSS score 10 might be ranked so low or even not needed to deploy! And a CVSS score 2 might be a patch or mitigation your need to deploy right away! It all depends on the description of the vulnerabilities, attack vectors, details of exploit… you need to read and research about a vulnerability in depth before giving it a score. You could utilize CVSS in your own scoring system, but you should never rely solely on CVSS. There are practical ways to assess each individual vulnerability.

Mitigation

This is the hardest part and solutions in current market are either not capable of handling this phase of VM for you, or they are so expensive and not affordable. Most of the tools for VM are not even able to roll a patch and have follow-up scanning and reliable validation, let alone taking care of the workarounds and countermeasures which requires intensive scripting and cross platform API.

The whole purpose of a VM is to mitigate weaknesses so if you focus on this phase you will find your organization having a very smooth system quickly.

Developing an organic scoring system with documentation of logic will let to a smart and meaningful scoring system.

In other words, assess vulnerabilities based on specific situation related to the details of exploitation method. A single particular vulnerability might not be applicable to all layers of an organization, or all similar machines. Develop an organic scoring system and document the logic so you will have solid justification for future similar vulnerabilities. It takes not more than a few months to develop an smart meaningful assessment and scoring system.

Focus on mitigation and not to have same vulnerability repeating again and again, those are considered corrective actions which are preventive also. Remember companies still get hacked after mitigating weaknesses because they do not pay attention to vector and surface of the attack and how exploitation works. Most of the times patching is not enough, even though vendors always release updates and patches.

The interface to a VM is where you should be able to see and understand everything. If you have to ping a node from a different interface, or your VM is not linked to your asset management system, do not waste your time and money, you could utilize free tools with same manner.

Three Reasons To Trust SECURE TARGET

Articles will be revealing in many aspect of information security and information technology in general, but why would you trust SECURE TARGET?

Articles will be revealing in many aspect of information security and information technology in general, but why would you trust SECURE TARGET?
Being blunt by default and straightforward about root causes of tech insecurities is not common at all. You will soon experience (if have not already) how the Computer Security business is not different from any other market. This is a business, why would you think market leaders do not want more profit and how they are able to make more profit without compromising some aspects of Real Security and pushing something to the market, not as a real ‘Need’ but more as a fake ‘Want’?
This has been one of the challenges of security products’ market in terms of customer acquisition, and the conflict between stakeholders and market drivers will always have its dark shadow over Security Initiatives, making consumer doubtful and uncertain about right solution.
Here you will be told about how to simply and effectively forever take care of the security of your computers and other information technology elements. You will realize which part of the market is real and which part is fake (and only for sake of making more money), but you should not be shocked as this is the reality of almost all businesses. Also it does not mean market is pushing something useless or necessarily insecure, it just might not necessary be what you need at the moment, it may be a waste of money, or may not be what your security program really demands, and yes sometimes it may totally put your security program in an insecure posture! Hence, jeopardizing Security with security!
In the other words, considering rule of “Complexity Equal Insecurity”, you generally pay more for something which not only is not more secure, but also downgrades your current quality of your security posture!
With many years of experience, transparency has been my first byproduct of IT business: I did not sell a single PC while it was possible to tune up the old one better than the current one, and I revealed all security details of a given IT element during my dedicated-focused-professional training without fear of having an student better than teacher! In the meantime, Questioning every aspect of computer technology without affiliation to any product or even any specific Trend put me in a neutral position where the metric would be measuring effectiveness, not what is possible at the moment according to market. So here’s why you can trust my judgment:

1) Member of both communities
I am an advocate to both communities of security and hackers. In order to stop Cybercrime we have to be virtually undercover and there is no way we can feel the heat of this battle unless being a front liner in security side.
Active learning from both communities is the key to help maintaining a healthy and secure cyberspace, something that is prone to turn to a myth! Defending a society is not possible unless knowing your enemy, and I am not talking about ridiculous hands-on training courses on ethical hacking. This is about social engineering of hackers community, that’s what they do with us every single minute of interaction. In opposite side, secure community, the most secluded introvert group of people who think that they can conquer a land before knowing the location of in on the map!

2) Research
knowing what is happening with the fastest-pace-industry-of -all -times (IT) is crucial but it is not enough for handling the unleashed horse of Cyber insecurities. Continuous Research is the key to maintain a level of balance between different individual cyber world entities: what is entering (or better say Penetrating) into world of cyber will bring its own insecurities to the equation which may totally change the current state of insecurities or magnitude of catastrophic outcome of other entities which were totally secure before introducing the new entity! It means we need to constantly research the current equation of cyber elements and assess different factors to manage ongoing changes in a secure manner. This requires research on all aspect of cyberspace not just those topics compiled with the word ‘security’.

3) Result oriented
Judge based on result and outcome not personal preferences, that’s the basic tool and logic of evaluation. Whether you prefer hot or cold coffee, does not change the state of hot and cold coffee! Simply every single security solution is good as long as the result is convincing and satisfying, and every single security solution is a waste of time and money as long as the outcome is not favorable. You could use this analogy with what SECURE TARGET offers as well: if the result is not superior and significantly positive then there is no reason to back up a solution.

ISO 27001 Audit Tips and Tricks

the easy way to maintain an effective, low cost and smart ISO 27001 security management system

ISO27001/ISO27002: A Pocket Guide
Information is one of your organisation’s most important resources…

Even though there is no magic behind auditing a system based on ISO 27001, there are simple tricks which help you handle ISO 27001 or many other similar standards and frameworks, both as and auditor and auditee.

I would point only at one single tip if I wanted to direct you to just one important aspect of ISO 27001, and that is “Links”. The connection between different parts of standard is the key to kingdom! Understanding this key makes you super strong either as an auditor or as an auditee.

There are certain connections between different Clauses or even different Controls. Majority of ISO 27001 standard element are linked together and this simple means, as long as you follow links, you will reach a final destination for sure which is the flawless system with no broken links.

Main links are from relationship between SoA, Risk, Asset and Access

Links are important because if Clauses, Documents, Policies, Controls…are not connected and consistent, you will be noncompliance ultimately. No matter how hard you try to have a comprehensive, beautiful, technical…set of policies, ignoring links is a reg flag for any experienced auditor, they simply see the effect right away and after that all system looks synthetic!

Main links are between SoA, Risk, Asset and Access. These are foundations and without proper linkage, there is no way to maintain a healthy, consistent, auditable ISO 27001 security management system. Start with SoA, that document is not an index or table of contents! Flow from SoA to Risk Assessment, vice versa and multiple times until all controls has justification. Never compile Asset policies without conducting demonstrating and understanding the links with higher SoA and Risk, and then jump into Access as the baby and outcome of first 3 document.

As an auditor you should always look for broken links because also analysing and accepting a subject without finding conceptual link with other topic is nothing more than ignoring the main purpose of standard, which is a solid management system, not a set of individual files and unclear processes.

As an auditee try to find your broken links prior to audit. This does not require internal audit at all. This is more and more reviewing your key documents by someone who understand the links and concepts, not just memorizing Clauses.

Remember after having a system flawless of broken links, you have already started the easy way to maintain an effective, low cost and smart ISO 27001 security management system, something which has the potential to make money for your business rather than a hassle and expense.