Monday, July 18, 2016

Effective Cyber Defense System

The five critical tenets of an effective cyber defense system as reflected in the CIS Critical Security Controls are:

Offense informs defense

Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.


Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.


Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustmens can be identified and implemented quickly.

Continuous diagnostics and mitigation

Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.


Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

Monday, April 6, 2015

Effective Information Security Selling Guide

What are the qualities of a good sales person? Whenever someone asks me this question -- my mind wanders to 7 Habits (or qualities) of Highly Effective People, which are:

1) Pro-activeness and self-awareness
2) Start with the end in mind
3) Prioritize
4) Focus on win-win
5) Listen, understand then speak and get understood
6) Develop truest form of trust
7) Keep learning
These are the major qualities any person should seek and develop to be a good human being generally and very good sales-person particularly. 

Information security selling is not different than any other selling. The only difference between IT selling and security selling is that the latter focuses on niche market. Getting security opportunities, driving customers and closing deals can be scarce and time consuming but delightfully rewarding. In the words of Steve Jobs, you really put a dent in the universe but more in the security sense the feeling of protecting customers is both fascinating and cherishing. 

For information security selling to be effective, I propose the following list of steps from my experience: 

1) Identify pain-points -- what difficulties are being faced by the customer
2) Propose a solution -- that acts as ointment for the pain-point identified
3) Develop a business case -- focus on benefits in terms of time, resources and money!
4) Identify and set budget limitations -- develop win-win situation!  
5) Clarify, clarify, clarify! -- do demo, PoC, pilot to set the customer expectations right
6) Close the deal quickly -- keeping the purchase life-cycle in mind, focus on closing with full force
7) Give more -- develop dependency, be more than just useful! 

A good security selling encompasses strong passion, relentless vigor and constant follow-ups. Hope this post helps in making your customer choose the best solutions and services. Happy selling! 

Sunday, April 5, 2015

Setting-up NAT in VMware Workstation

In this tutorial, we are going to setup NAT configuration in VMware Workstation. The Workstation version being used is:

On VMware Workstation, click Edit and then Virtual Network Editor…

On the Virtual Network Editor window, click Add Network:

On the pop-up window, select VMnet2 and click Ok:

The new Virtual Network would initialize with random settings:

The random settings adopted are as follows:

Now, change the Subnet IP and Subnet mask as follows and click NAT Settings:

Configure the NAT Settings as follows and click OK:

Afterwards, click DHCP Settings:

Set the DHCP Settings as follows:

DHCP Service would initialize, once done click Apply:

We are all done to use our NAT configuration in VMs now.

Right click one of the VM where you want to configure NAT and click Settings:

Configure the Network Adapter settings as follows and click OK:

Since, I like giving static IP addresses (the DHCP service would work just fine) to my VM machines:

The given settings would connect to Internet via the NAT configuration:

While, VMnet2 is set, we would see this network adapter in Network Connections as follows:

For any queries, please feel free to reach out to me on wajahatrajab[@]gmail[.]com.

How VA Tools Work?

Vulnerability Assessment tools assist us in finding weaknesses in a system before they can be exploited. A Vulnerability Assessment tool takes the following steps in determining vulnerabilities:

  • Discovering – Sends ICMP requests and probes ports to see if the system is up and running, additionally checks if the system is behind a firewall or a filtering device
  • Port Mapping – Probes UDP and TCP ports to see which ports are open and accepting connections
  • OS fingerprinting – Detects what OS is running on the target system
  • Service Mapping – Sends different probes to see which services are running on open ports
  • Vulnerability Mapping – Based on the identified services, it tries to find out the vulnerabilities associated with them
There are many Vulnerability Assessment tools available — NeXpose, Nessus and QualysGuard being the few which scan the whole infrastructure including web applications. While, there are some dedicated tools for only web application scanning (dynamic analysis) like AppScan Standard, WebInspect, Burp Suite and Acunetix. Similarly, there are dedicated tools for automated source code review (static analysis) like AppScan Source, Fortify and Veracode.

Alongside finding weaknesses, Vulnerability Assessment tools also provide remediation techniques for eradicating or patching the weakness.

Starting Information Security Career?

A lot of people ask me every now and then on how to start a career in information security? These people range from young graduates to mid-level professionals and to even manger level professionals. So, I thought of writing a blog post that would help hundreds of these knowledge pursuers and career changers to effectively enter the rich and broad field of information security. The post has been made from the perspective of service providers (joining one is the best way to learn ins and outs of information security!).

To keep it very simple, there are two major domains in information security field:

1) Technical
2) Managerial

In technical domain of information security, as the name suggests, almost all the work is technical. You (can) work on technical solutions and services either in R&D, pre-sales, post-sales, training and or support. Each of these are explained as follows:
  • R&D: You find out how different technologies work and gain expertise on them in your test environment (to start with). Or, you develop a technology solution or service or training of your own that helps protect organizations in their security goals and endeavors. 
  • Pre-Sales: You face customers! You pitch them your solutions and services. The pitching can range from presentations to demos to PoCs to running pilots to drafting RFP to complying with them (the requirements) via RFP response to designing BoQ. The majority of selling happens here! 
  • Post-Sales: Once the pre-sales ends successfully -- the post-sales phase kicks-in. In this phase, you implement and deploy solutions for the customer or provide services as per the defined scope and acknowledged project plan. The major component of this phase is helping customers in designing, configuring and implementing the solution or service in a way that benefits them the most.   
  • Training: The trainings can be product based or product independent and focusing on developing a particular skill. Usually, once the solution or service has been successfully implemented -- the customers desire to have a hands-on training to enable their resources to ensure they are able to handle daily routine operations associated with the solution or service. That is one aspect of training. Training can also be provided independently as well to enable customer resources to perform a particular area of their job (for example, incident response, malware analysis etc.) effectively. There are a lot of training bodies as well (EC-Council, (ISC)2, ISACA, etc.) -- delivering their trainings can be quite product financially and a lot of solution / service providers do this and have dedicated training teams and departments. 
  • Support: Support is an essential part of solution and service selling. Support ensures that business flow is continuous and customer retention is effectively 100%. In support phase, customers are able to get their issues fixed (via support engineers) swiftly in the solution they have deployed or the service that is being used.        
In order to be able to perform any of the above activities (or the activities associated to the phase of your interest) -- you need to have good technical research, knowledge acquiring and knowledge transferring skills. Often, technical people think -- they do not need to work on their soft-skills -- assumptions like that are very wrong. Good soft skills are a must for any information security professional and are very essential for growth!  

Now, coming to the second major domain of information security; the managerial part of information security encompasses security management practices varying from policy development, risk management, compliance assurance to process optimization, standards' implementation, suggesting controls, ensuring they are implemented and reviewing their effectiveness.

The managerial domain is more focused on people and processes and is interlinked with technical domain via use of technology. Managerial domain aligns information security with business goals of the organization and frequently takes into account ROI while reducing the risk at the same time. Different ISMS standards like ISO 2700x and BCM standards like ISO 22301 / 22313 come directly under managerial domain of information security.  

My recommendation for entering in information security has always been to start from technical domain, get a feeling of working in information security and then choose where you want to go. If you want to stay on technical side, following are some of the fields:
  • Work with security related solutions like endpoint security, vulnerability assessment, security information and event management, identity and access management, data leakage prevention, two-factor authentication, database security, web application firewalls, next generation infrastructure firewalls, IPS, IDS, advanced threat detection solutions and so on. 
  • Work with security related services like vulnerability / threat assessment, penetration testing, network design review, source code review, digital forensics, incident response, malware analysis / reverse engineering and so on.
  • Work with security related trainings to enhance skill of knowledge-seekers. Apart from trainings or courses offered by governing bodes -- trainings can range from integrating secure software development lifecycle to performing black-box / white-box penetration tests to performing incident response or doing malware analysis and so on.   
My other recommendation particularly for young graduates is to work with IT technologies first; get a good understanding of how stuff works, go in-depth and gain expertise of implementing them. Once, that is done -- you are in very good position to be able to either circumvent or protect these technologies and information systems. Changing role from implementing a technology to protecting becomes easy, this way. For a technical information security professional, high paced research and gaining quick knowledge of technologies is key to success alongside good soft-skills. 

Working in a technical domain for starting career in information security helps a lot in understanding intrinsic technologies and how can they be vulnerable (to attacks) and putting the right controls to keep them protected effectively and efficiently. This path also helps in entering managerial domains without much effort -- all you need to do is study ISMS or BCM standards and develop an understanding of performing thorough risk management or business impact assessment. Once you have developed a good understanding of how different standards work and can be implemented -- you are ready to work as Consultant for firms that want to implement or have their ISMS reviewed. 

The key skills generally needed to become an information security professional are as follows: 
  • Focused research 
  • Persistence and hard work
  • Communication (both oral and written)
  • People skills
The top certifications to transform your career in information security are as follows: 
  • CEH or CPTE (technical)
  • CHFI or CDFE (technical)
  • OSCP (technical)
  • CISSP (managerial)
  • ISO 270001 Lead Implementer / Auditor (managerial) 
  • BCI certifications (mostly managerial) 
I hope the information presented in this post would assist immensely in choosing information security as your career path. In case, you want to discuss this further -- please feel free to reach out to me on wajahatrajab[@]gmail[.]com.

Saturday, March 14, 2015

Growth Mindset vs. Fixed Mindset

Do you like going out of your comforts every now and then?
Do you like developing new skills and improving existing ones?
Do you like changing yourself for the better?

If yes, you have a growth mindset. If not, you have a fixed mindset. People with fixed mindset are prone to staying average -- whereas, people with growth mindset keep on pushing their average skills to grow further and further.

Following are some of the facts about people with growth mindset and people with fixed mindset:

  • For a growth mindset, success is the "process" of pushing themselves to achieve goals. Whereas, for a fixed mindset, success is "proving" themselves to others. 
  • People with growth mindset have the ability to stay innovative by taking constant inputs, analysis and criticism to further improve what they do. While, people with fixed mindset want to stick with what they know the best and what they are good at without giving much emphasis to good input, analysis and criticism. 
  • People with growth mindset do mistakes, learn from them and improve -- while, people with fixed mindset do mistakes and quit. 
  • People with growth mindset are explorers of new ventures -- whereas, people with fixed mindset are stuck in their comfort zones. 

To conclude, everything is in a constant flow -- that is how life works. Getting stuck in your brick-wall and not climbing it or pushing yourself to cross it, takes the life out of you. 

Sunday, July 6, 2014

How to make SIEM PoC effective?

Here is how you can make the SIEM PoC effective: 

1) List down the existing issues that need to be resolved 
2) List down the potential issues that could happen 
3) Ask for use case implementation for #1 and #2 
4) Observe the effectiveness of the solution as per your environment 
5) Observe usability, scalability and feature-set being offered 
6) Observe the skill level of the service provider / vendor 
7) Grade based on #3, #4, #5, #6 

Additionally, you may ask the following questions to your vendor to warm them up a little: 

1) Time it would take to go from installation to actual threat or security insights? 
2) Dedicated members or consultants needed to keep the solution up and inter-operable? 
3) Does the proposed solution provide alerts and provide step-by-step remediation? 
4) What if we don't have technologies in place that are needed to feed the SIEM?