All Blog Posts
2021
InfosecConsultCon
VALUABLE RESOURCES AND STRATEGIES REVEALED BY THE TOP INFOSEC CONSULTING ENTREPRENEURSHIP EXPERTS IN THE WORLD
2020
Interactively Exploring NTFS Timestamps
Interactively explore how common operating system activities impact NTFS timestamps.
2019
Create an EC2 that Runs Chrome for Sandboxed Web Surfing
Use a temporary system that is totally isolated from anything sensitive
The Equifax Data Breach and the Apache Struts Vulnerability
Recommendations and lessons learned from the Equifax Data Breach
Test Early, Test Often
Illustrating the business value of early SAST
Check Multiple AWS S3 Buckets for Missing Default Encryption
Here is a simple one-liner to check all the buckets in a single account:
2018
Timestamp bash_history with every command
Customize your bash_history…
2017
Linux Hardening
I have found that Lynis, is a great way to audit a system for CIS benchmark compliance
Information Security at Startup Companies
How can a young professional convince startups that InfoSec is needed?
Has SHA-1 been hacked?
To summarize, SHA-1 has not been hacked, it is just simply not strong enough with today’s computing power.
2016
FIPS 140-2 in a Nutshell
Guide to understanding FIPS 140-2 validation levels
The Trust-Value Equation
I must trust that the benefit that I gain from using your service exceeds the concerns (Fear, Uncertainty, and Doubt) that I have about using it.
The Encryption Magic Bullet
Encryption is not a magic bullet, but it does it play a vital role in a company’s data protection strategy.
Capture a spurious outbound connection with NETSTAT
Need something quick and dirty to create a log of outbound connections on Windows?
Modify a line in wtmp - Linux Accounting
The /var/log/wtmp file in a Linux system contains data about past user logins.
Are BitTorrent Pieces 250Kb Long?
I was researching BitTorrent and noticed in the Specification that it said that the typical length of a Piece was 250 kilobytes long. That made me curious…
SOC 1 vs SOC 2
The difference between a SOC 1 report and a SOC 2 report and why an organization would have both.
2015
Questions to Ask Executive Management when Considering a New Job
You should be interviewing the company that you are considering working for to determine if you will be a good fit for the culture and values of the company.
A Python Parser for BitTorrent Metainfo Files
To help understand the data contained in a metainfo file, I created a python script called “bittorrent-parse.py.”
Bash Script Tests for OS and Run as Root
Using sed in bash scripts to check for root and OS version
How to Install TSHARK in Unattended Mode via Script
After extensive searching the InterWebs and finding a lack of documentation on how to install TShark in a silent/unattended mode, I came across a related Sta…
Change config settings using a bash script
There is a trend to perform all system administration tasks using scripts. The benefit of this approach is that the scripts can be checked into a source cont…
CISSP vs CEH vs Security+
A friend of mine recently made the following post on his Facebook page. It resulted in an interesting discussion, so I thought that I would share it and my …
The Contracting Life Cycle
Just as there is a life cycle for software development, there is a life cycle for contracting and this cycle must be managed as well to assure information se…
Define: PCI Service Provider
When working with the Payment Card Industry Data Security Standard (PCI-DSS) it is important to understand this definition to make sure your compliance progr…
2013
Defense-in-depth, Part 2
Last post, I discussed the concept of defense-in-depth (DiD) where overlapping controls provide increased security, particularly if one of the controls shoul…
ZeroBin XSS Vulnerability Patched in 0.19
Sébastien Sauvague has just informed me that he has released Version 0.19 to address the Cross-Site Scripting vulnerability that I wrote about in my previous…
ZeroBin as a XSS Attack Platform
What if you could have hundreds of websites from which to launch an encrypted cross-site-scripting attack?
Defense in Depth
Think about your security controls. Have you identified which controls are preventive, and which are detective or deterrent controls? Also remember that th…
Security Policy Exceptions
I was reading a debate on a Linkedin.com forum discussing all kinds of edge cases that some participants were arguing needed to be considered in a security…
Shannon Entropy of Various File Formats
Today, I will show the results of using this tool for a cursory examination of the Shannon entropy of various, common file formats.
Calculate File Entropy
Entropy is the measurement of the randomness. The concept originated in the study of thermodynamics, but Claude E. Shannon in applied the concept to digital…
Securely Delete Files with SDelete
There is a variety of GUI-based utilities such as CCleaner or Freeraser, but SDelete is very simple to use for anyone comfortable with the command line. SDe…
Why Have Security Policy?
I have found that not everyone has considered the role of security policy in an organization’s information security management program. Therefore, I will sh…
Goodbye Oz Data Centa
The Oz Data Centa (ozdc.net) was a very useful tool for monitoring PasteBin and I, for one will miss it.
The Difference Between Leaders & Non-Leaders
I came across this typewritten list from about 25 years ago. I’m not exactly sure who wrote it, but at the time it made an impression on me.
Eight Traits for Vision
Simple list of Eight Traits for Vision
2012
PowerShell Script to Log Network Connections
The Log-Connections.ps1 file is a PowerShell Script that Logs active TCP connections and includes the process ID (PID) and process name for each connection o…
Looking in Pastebin at the Hactivism Carnage
The Web is full of news about websites that have been breached or defaced by internet hackers. Occasionally these articles will include a hyperlink to Pasteb…
CMM & Organizational Process Maturity
Since the Software Engineering Institute first published the capability maturity model, many other organizations have adapted the concepts to process maturit…
Lessons Learned from the JFK Jet Skier Incident
Earlier this week media outlets had a field day with the news story about Daniel Casillo, the guy who swam up to the JFK runway…
Zero Factor Authentication
What do I mean by Zero Factor Authentication? …
Be an Actor, Not a Reactor
I love reading about brain research and understanding how we learn. It seems our brain is constantly making connections between things that we are learning …
Success Has Many Fathers
But ponder for a moment, a double meaning…
OPSEC is Really Not OPSEC
I am delighted to have an entry written by Jack Emanuelson, an independent contractor specializing in OPSEC and information assurance.
Ironic OpSec
What struck me as ironic is that the document is labeled For Official Use Only (FOUO) which means that the government intends to limit its distribution.
How Hackers Get Passwords
Systems that contain more sensitive data need to have stronger passwords. Strong passwords do not use words from the dictionary and use symbols and numbers…
What does trust have to do with it?
Let’s think about what trust has to do with what we do
Are We More Secure Today?
Yesterday I was asked a question in passing. The question was this –Are we more secure today? My reflexive answer was…
Security & Customer Trust
In my role as a security professional, I have pondered the various dimensions of trust and have some thoughts on the subject…
The Sources of Influence Behind My Leadership Style
During the course of my career I have had the opportunity to be exposed to a variety of leadership styles and have also adopted a style one of my own…
2011
My Security Philosophy
An essay of how I think about security management
As a leader, you want to establish the strategy (MBO) and operating parameters (MBE) and then inspire and fuel the discussion by MBWA.
Skype in the Enterprise
The following excerpt is a thread… This discussion was the impetus for my article Is Skype Secure?
Hire Yourself as a Consultant
In today’s fast paced world, we are often so busy trying to scratch off items on our to-do lists that we short change ourselves of time to reflect on how to …
Is Server Downtime an Information Security Incident?
Is server downtime an information security event even if it was due to a technical fault?
Moments of Truth - Examining Your Organization’s Customer Service
‘Moments of truth’ are snapshots that reveal the character of an organization.
Maxwell’s Law of the Scoreboard
I reread a John C. Maxwell book entitled The 17 Indisputable Laws of Teamwork. In this book, Maxwell has a chapter dedicated to the Law of the Scoreboard…
Alligator Fighting
Several years ago, I saw a quote that has resonated with many of the people that I have consulted with over the years.
Take Steps to Achieve Greatness
The little steps we take each day accumulate to become the distance traveled on the path to success.
Plan - Do - Check - Act
One methodology that I use frequently is called the ‘Plan-Do-Check-Act’ Cycle.
A Quality Thought
A thought or two on the topic of Quality
2010
Separation of Duties in Scrum Software Development
An important consideration for organizations incorporating agile techniques into their Software Development Life Cycle (SDLC).