Wednesday, February 1, 2017

Infrastructure Security - Vulnerability Management

Vulnerability is a weakness in a system that can be exploited and leveraged upon by different threat agents. In computer security, vulnerabilities can exist in information systems ranging from operating systems to databases to web servers to web applications to switches to routers to even security solutions and devices. Vulnerabilities can occur and are exploited because of lack of security focus during application and system development, reliance on protocols that are vulnerable or because of dependency on third party packages and services.

Vulnerability management solutions help automate the process of proactively identifying vulnerabilities in systems and evaluate associated risks so that proper and prioritized vulnerability remediation and risk mitigation can be carried out before a threat agent exploits these vulnerabilities. Vulnerability management solutions are not mere vulnerability assessment tools but on top they provide features like organization specific risk, risk acceptance, risk tracking, ticketing system, and user roles and permissions to name a few.

Vulnerability management solutions apart from reducing the threat exposure due to prevalent vulnerabilities also help in meeting compliance requirements for PCI DSS, FISA, HIPAA and CIS standards for vulnerability and configuration management. The central vulnerability management console supports identification of vulnerabilities on multiple systems, devices and web applications deployed in organizations and remain future proof with regular updates. Role creation can help different departments to fulfill their responsibilities related to vulnerability identification, infrastructure auditing and web application testing with ease and effectiveness via intuitive dashboard and actionable reporting.

Vulnerability management solutions also provide the ability to test the effectiveness of existing controls on servers and desktops like anti-virus, OS hardening and patch management, browser hardening, password hardening etc. The ease of validating vulnerabilities via itself or third party exploitation tools makes vulnerability management solutions unique and help improve risk mitigation efforts.

Endpoint Security - Malware Protection

In computer security, the general definition of an endpoint is any device connecting to the network. When talking about endpoint security, the device can be a mobile device, a laptop, a workstation or even a server. Endpoint security is hence securing of these devices by mostly using technology based solutions. One of the important tasks involved in endpoint security is protecting endpoints from malware. Malware is any malicious program that can adversely affect, disrupt and damage the working of the endpoint and on top of that steal sensitive information. The most common types of malware are viruses, worms, Trojans, adware and spyware.

Endpoint security technology solutions provide different set of features that can help in detection and prevention of malware. Apart from detection and prevention, endpoint security also helps in remediating the compromised endpoints. The features provided by endpoint security solutions range from antivirus, personal firewall, exploit prevention, host intrusion prevention to proactive protection capabilities like vulnerability and patch management.

Endpoint security solutions target both known (for which signatures have been created) and unknown (for which signatures are not available yet) malware. The effectiveness of endpoint security solutions against malware detection, prevention and spreading depends on solution configuration apart from the technology and intelligence incorporated into the solution. The endpoint security technology solutions provide easy centralized management. The centralized management helps in getting visibility into the level of security and system health of all endpoints. The centralized management also supports in easy security policy implementation, updating, reporting of critical system events and troubleshooting.

Monday, July 18, 2016

Effective Cyber Defense System

The five critical tenets of an effective cyber defense system as reflected in the CIS Critical Security Controls are:

Offense informs defense

Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

Prioritization

Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.

Metrics

Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustmens can be identified and implemented quickly.

Continuous diagnostics and mitigation

Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.

Automation

Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

Monday, April 6, 2015

Effective Information Security Selling Guide

What are the qualities of a good sales person? Whenever someone asks me this question -- my mind wanders to 7 Habits (or qualities) of Highly Effective People, which are:

1) Pro-activeness and self-awareness
2) Start with the end in mind
3) Prioritize
4) Focus on win-win
5) Listen, understand then speak and get understood
6) Develop truest form of trust
7) Keep learning
 
These are the major qualities any person should seek and develop to be a good human being generally and very good sales-person particularly. 

Information security selling is not different than any other selling. The only difference between IT selling and security selling is that the latter focuses on niche market. Getting security opportunities, driving customers and closing deals can be scarce and time consuming but delightfully rewarding. In the words of Steve Jobs, you really put a dent in the universe but more in the security sense the feeling of protecting customers is both fascinating and cherishing. 

For information security selling to be effective, I propose the following list of steps from my experience: 

1) Identify pain-points -- what difficulties are being faced by the customer
2) Propose a solution -- that acts as ointment for the pain-point identified
3) Develop a business case -- focus on benefits in terms of time, resources and money!
4) Identify and set budget limitations -- develop win-win situation!  
5) Clarify, clarify, clarify! -- do demo, PoC, pilot to set the customer expectations right
6) Close the deal quickly -- keeping the purchase life-cycle in mind, focus on closing with full force
7) Give more -- develop dependency, be more than just useful! 

A good security selling encompasses strong passion, relentless vigor and constant follow-ups. Hope this post helps in making your customer choose the best solutions and services. Happy selling! 

Sunday, April 5, 2015

Setting-up NAT in VMware Workstation

In this tutorial, we are going to setup NAT configuration in VMware Workstation. The Workstation version being used is:


On VMware Workstation, click Edit and then Virtual Network Editor…















On the Virtual Network Editor window, click Add Network:






























On the pop-up window, select VMnet2 and click Ok:






























The new Virtual Network would initialize with random settings:






























The random settings adopted are as follows:






























Now, change the Subnet IP and Subnet mask as follows and click NAT Settings:


Configure the NAT Settings as follows and click OK:



























Afterwards, click DHCP Settings:































Set the DHCP Settings as follows:


















DHCP Service would initialize, once done click Apply:































We are all done to use our NAT configuration in VMs now.

Right click one of the VM where you want to configure NAT and click Settings:
























Configure the Network Adapter settings as follows and click OK:


Since, I like giving static IP addresses (the DHCP service would work just fine) to my VM machines:


The given settings would connect to Internet via the NAT configuration:


While, VMnet2 is set, we would see this network adapter in Network Connections as follows:

For any queries, please feel free to reach out to me on wajahatrajab[@]gmail[.]com.

How VA Tools Work?

Vulnerability Assessment tools assist us in finding weaknesses in a system before they can be exploited. A Vulnerability Assessment tool takes the following steps in determining vulnerabilities:

  • Discovering – Sends ICMP requests and probes ports to see if the system is up and running, additionally checks if the system is behind a firewall or a filtering device
  • Port Mapping – Probes UDP and TCP ports to see which ports are open and accepting connections
  • OS fingerprinting – Detects what OS is running on the target system
  • Service Mapping – Sends different probes to see which services are running on open ports
  • Vulnerability Mapping – Based on the identified services, it tries to find out the vulnerabilities associated with them
There are many Vulnerability Assessment tools available — NeXpose, Nessus and QualysGuard being the few which scan the whole infrastructure including web applications. While, there are some dedicated tools for only web application scanning (dynamic analysis) like AppScan Standard, WebInspect, Burp Suite and Acunetix. Similarly, there are dedicated tools for automated source code review (static analysis) like AppScan Source, Fortify and Veracode.

Alongside finding weaknesses, Vulnerability Assessment tools also provide remediation techniques for eradicating or patching the weakness.

Starting Information Security Career?

A lot of people ask me every now and then on how to start a career in information security? These people range from young graduates to mid-level professionals and to even manger level professionals. So, I thought of writing a blog post that would help hundreds of these knowledge pursuers and career changers to effectively enter the rich and broad field of information security. The post has been made from the perspective of service providers (joining one is the best way to learn ins and outs of information security!).

To keep it very simple, there are two major domains in information security field:

1) Technical
2) Managerial

In technical domain of information security, as the name suggests, almost all the work is technical. You (can) work on technical solutions and services either in R&D, pre-sales, post-sales, training and or support. Each of these are explained as follows:
  • R&D: You find out how different technologies work and gain expertise on them in your test environment (to start with). Or, you develop a technology solution or service or training of your own that helps protect organizations in their security goals and endeavors. 
  • Pre-Sales: You face customers! You pitch them your solutions and services. The pitching can range from presentations to demos to PoCs to running pilots to drafting RFP to complying with them (the requirements) via RFP response to designing BoQ. The majority of selling happens here! 
  • Post-Sales: Once the pre-sales ends successfully -- the post-sales phase kicks-in. In this phase, you implement and deploy solutions for the customer or provide services as per the defined scope and acknowledged project plan. The major component of this phase is helping customers in designing, configuring and implementing the solution or service in a way that benefits them the most.   
  • Training: The trainings can be product based or product independent and focusing on developing a particular skill. Usually, once the solution or service has been successfully implemented -- the customers desire to have a hands-on training to enable their resources to ensure they are able to handle daily routine operations associated with the solution or service. That is one aspect of training. Training can also be provided independently as well to enable customer resources to perform a particular area of their job (for example, incident response, malware analysis etc.) effectively. There are a lot of training bodies as well (EC-Council, (ISC)2, ISACA, etc.) -- delivering their trainings can be quite product financially and a lot of solution / service providers do this and have dedicated training teams and departments. 
  • Support: Support is an essential part of solution and service selling. Support ensures that business flow is continuous and customer retention is effectively 100%. In support phase, customers are able to get their issues fixed (via support engineers) swiftly in the solution they have deployed or the service that is being used.        
In order to be able to perform any of the above activities (or the activities associated to the phase of your interest) -- you need to have good technical research, knowledge acquiring and knowledge transferring skills. Often, technical people think -- they do not need to work on their soft-skills -- assumptions like that are very wrong. Good soft skills are a must for any information security professional and are very essential for growth!  

Now, coming to the second major domain of information security; the managerial part of information security encompasses security management practices varying from policy development, risk management, compliance assurance to process optimization, standards' implementation, suggesting controls, ensuring they are implemented and reviewing their effectiveness.

The managerial domain is more focused on people and processes and is interlinked with technical domain via use of technology. Managerial domain aligns information security with business goals of the organization and frequently takes into account ROI while reducing the risk at the same time. Different ISMS standards like ISO 2700x and BCM standards like ISO 22301 / 22313 come directly under managerial domain of information security.  

My recommendation for entering in information security has always been to start from technical domain, get a feeling of working in information security and then choose where you want to go. If you want to stay on technical side, following are some of the fields:
  • Work with security related solutions like endpoint security, vulnerability assessment, security information and event management, identity and access management, data leakage prevention, two-factor authentication, database security, web application firewalls, next generation infrastructure firewalls, IPS, IDS, advanced threat detection solutions and so on. 
  • Work with security related services like vulnerability / threat assessment, penetration testing, network design review, source code review, digital forensics, incident response, malware analysis / reverse engineering and so on.
  • Work with security related trainings to enhance skill of knowledge-seekers. Apart from trainings or courses offered by governing bodes -- trainings can range from integrating secure software development lifecycle to performing black-box / white-box penetration tests to performing incident response or doing malware analysis and so on.   
My other recommendation particularly for young graduates is to work with IT technologies first; get a good understanding of how stuff works, go in-depth and gain expertise of implementing them. Once, that is done -- you are in very good position to be able to either circumvent or protect these technologies and information systems. Changing role from implementing a technology to protecting becomes easy, this way. For a technical information security professional, high paced research and gaining quick knowledge of technologies is key to success alongside good soft-skills. 

Working in a technical domain for starting career in information security helps a lot in understanding intrinsic technologies and how can they be vulnerable (to attacks) and putting the right controls to keep them protected effectively and efficiently. This path also helps in entering managerial domains without much effort -- all you need to do is study ISMS or BCM standards and develop an understanding of performing thorough risk management or business impact assessment. Once you have developed a good understanding of how different standards work and can be implemented -- you are ready to work as Consultant for firms that want to implement or have their ISMS reviewed. 

The key skills generally needed to become an information security professional are as follows: 
  • Focused research 
  • Persistence and hard work
  • Communication (both oral and written)
  • People skills
The top certifications to transform your career in information security are as follows: 
  • CEH or CPTE (technical)
  • CHFI or CDFE (technical)
  • OSCP (technical)
  • CISSP (managerial)
  • ISO 270001 Lead Implementer / Auditor (managerial) 
  • BCI certifications (mostly managerial) 
I hope the information presented in this post would assist immensely in choosing information security as your career path. In case, you want to discuss this further -- please feel free to reach out to me on wajahatrajab[@]gmail[.]com.