Latest Entries »

51 Tools for Security Analysts


The ISO 10 Things List

ISO 10 Things

ISO 10 Things

10 People an ISO Needs to Know

Leadership (and engagement)
Governance groups
Counsel, Police, and Audit (oh my)
Data stewards (HR, etc.)
Risk, Compliance, Insurance
Privacy, Policy
Student Affairs
CFO, Chief Business Officer
Purchasing, Procurement, Licensing, Project Management

10 Things an ISO Needs to Ask Themselves

Why did I take this job? Someone remind me! (How on earth do you all sleep at night?)
Do I have appropriate management support and understanding?
Do I understand what the major risks the the institution are? What is the most valuable data at the institution? Where is it, how is it controlled?
What are the institution’s policies that affect information security? Do the policies I need to do my job effective exist?
Who owns the data? Is this defined in a policy?
Does my management have the same list in their heads?
What capabilities does my management expect me to provide?
Do I have the ability to meet those expectations? Staff, Skills, Technology, Policy, Procedures
What technology do I have deployed? Is it deployed in an effective manner?
What technology do I not have that I need?

10 Things an ISO Needs to Know

What are your information security policies?Are they any good? How do you know?
What incidents have occurred in the past year? The past 5?
What is your Incident Response plan, and does it work? Who do you contact in the event of an incident?
Are there risk management and disaster recovery plans in place? Have they been tested?
What is your role in the above three items?
What does your management expect from you?
What does your staff expect?
What mailing lists should I be a member of?
What professional groups should I be a member of?
What is your communication style? Are you communicating and providing information at the right level for executives or other staff?

Top 10 Things an ISO Should Not Do

Don’t Panic
Publicly or privately make the claim that the institution is secure
Assume that there is some place on the internal network that is “secure”
Make a service so inaccessible that it becomes insecure
Consider any process, training or device as a silver bullet
Consider technology in isolation as a solution to security risk
Fight fires (okay, almost never)
Develop punitive measures for IT staff who make mistakes in securing their systems
Compromise ethics for expedience, or at the direction of your management
Make decisions in isolation

Seven years of developing BackTrack Linux has taught us a significant amount about what we, and the security community, think a penetration testing distribution should look like. We’ve taken all of this knowledge and experience and implemented it in our “next generation” penetration testing distribution.

After a year of silent development, we are incredibly proud to announce the release and public availability of “Kali Linux“, the most advanced, robust, and stable penetration testing distribution to date.

Kali is a more mature, secure, and enterprise-ready version of BackTrack Linux. Trying to list all the new features and possibilities that are now available in Kali would be an impossible task on this single page. We therefore invite you to visit our new Kali Linux Website and Kali Linux Documentation site to experience the goodness of Kali for yourself.

We are extremely excited about the future of the distribution and we can’t wait to see what the BackTrack community will do with Kali. Sign up in the new Kali Forums and join us in IRC in #kali-linux on and help us usher in this new era.

Managed Services




Healthy IT systems help businesses to sustain healthy growth and healthier profits. Downtime, slow
system performance and irritating IT issues can be a major hindrance.
Using industry leading technology, we offer a solution which monitors, maintains and supports your
PCs and laptops, 24/7. And all for a small monthly fee per workstation.
We work specifically with small and medium sized businesses, helping them increase sales, reduce
costs and above all, keep their customers happy. To find out more about our Managed Workstations
service, click here.

Malicious Virus Shuttered US Power Plant

A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.

DHS reported the incident, which occurred in October, along with a second involving a more sophisticated virus, on its website as cyber experts gather at a high-profile security conference in Miami known as S4 to review emerging threats against power plants, water utilities and other parts of the critical infrastructure.

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Interest in the area has surged since 2010 when the Stuxnet computer virus was used to attack Iran’s nuclear program. Although the United States and Israel were widely believed to be behind Stuxnet, experts believe that hackers may be copying the technology to develop their own viruses.

Justin W. Clarke, a security researcher with a firm known as Cylance that helps protect utilities against cyber attacks, noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are “air gapped,” or cut off from the public Internet.

“This is yet another stark reminder that even if a true ‘air gap’ is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur,” he said.

Aging Systems

Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have “auto run” features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergence Response Team (ICS-CERT), which helps protect critical U.S. infrastructure, described the incident in a quarterly newsletter that was accessed via its website on Wednesday.

The report from ICS-CERT described a second incident in which it said it had recently sent technicians to clean up computers infected by common as well as “sophisticated” viruses on workstations that were critical to the operations of a power generation facility.

The report did not say who the agency believed was behind the sophisticated virus or if it was capable of sabotage. DHS uses the term “sophisticated” to describe a wide variety of malicious software that is designed to do things besides commit routine cyber crimes. They include viruses capable of espionage and sabotage.

A DHS spokesman could not immediately be reached to comment on the report.

The Department of Homeland Security almost never identifies critical infrastructure operators that are hit by viruses, or even their locations, but it does provide statistics.

It said ICS-CERT responded to 198 cyber incidents reported by energy companies, public water districts and other infrastructure facilities in the fiscal year ending Sept. 30, 2012.

Attacks against the energy sector represented 41 percent of the total number of incidents in fiscal 2012. According to the report, ICS-CERT helped 23 oil and natural gas sector organizations after they were hit by a targeted spear-phishing campaign – when emails with malicious content are specifically targeted at their employees.

The water sector had the second highest number of incidents,

representing 15 percent.

/* Infographic: Why it Sucks Being the IT Guy */

Cyber Defence Exercise Locked Shields, organised by the NATO Cooperative Cyber Defence Centre of Excellence, took place in March 2012. It had a game-based approach, which means that no real organisations played their actual role and the scenario was fictional. The defenders (Blue Teams) had to protect a partially pre-built environment simulating the network of a small telecommunications company. The attacker’s (Red Team) objective was to provide equally balanced attacks against all the Blue Team networks. The Blue Teams were from Switzerland, Germany, Spain, Finland, Italy, NATO (NCIRC), Slovakia, there were also combined teams from Germany-Austria and Denmark-Norway. The core of the Red Team composed of specialists and volunteers from Finland and Estonia, with additional contributors from Germany, Latvia and NCIRC.

Locked Shields 2012 from NATO CCD COE on Vimeo.

The December issue on [IN]SECURE magazine has a nice article on how a guest wireless network was used to penetrate the corporate network.  It is very easy to read that you could share with the executives in you office.  With the step by step instructions and screen shots, it just might show them how easy some exploits are if the proper steps are not taken.

Give it a read and let me know your thoughts.

Title “It’s just the guest wireless network… right?”

Spiceworks is one of those applications that seems to good to be true but I have been using it for years and deploied it at many companies, it is everything it says and all for FREE.  Wired just did a great write up on Spiceworks.

By Klint Finley of WIRED (

Spiceworks makes software and online services for use inside businesses, but it’s not like most business-software outfits. The Austin, Texas-based company gives its software away for free — all of it.

Yes, so many other companies offer free software and services. But they typically make their money by selling some sort of “premium” tool alongside the free stuff — a version that includes a bunch of stuff you can’t get for free. But Spiceworks doesn’t do premium versions. All of the company’s software and services are designed to make money from advertising.

Up until now, the company has focused on offering an online forum for IT professionals and tools for managing IT assets and infrastructure, but on Monday, it launched a new service called Spiceworks Cloud Program, which will let businesses manage cloud services such as Google Apps and Dropbox. This means it’s now taking on a wide range of larger and more established companies, including some of its own advertisers: VMware and SolarWinds.

Spiceworks was founded in 2006 by four former employees of Motive — an Austin-based broadband and data service management company that was acquired by Alcatel-Lucent in 2008 — and they brought experience from a wide range of other tech outfits as well, including Apple, NeXT, Tivoli, and 3M. According to co-founder and vice president of marketing and business development Jay Hallberg, the new company’s mission arose from conversions he and the other founders had with various system administrators and other IT pros.

“Really, we were just shocked by how few tools they had to do their jobs,” Hallberg says. “And what software they had, candidly, sucked.”

Hallberg says that when he asked system admins what software they loved, he got blank stares. “One guy said he loved playing Doom while he ran defrag,” he says. But when Hallberg asked what software people hated, they went on and on.

With Spiceworks, Hallberg and team decided to build an IT management tool that was actually easy to use. “We wanted to make the iTunes of IT management,” he says. The original product offered an inventory tool and a hosted application for help desk workers, but the company now wants to make it possible to manage, not just monitor, your IT infrastructure from within Spiceworks.

It made its first foray into cloud services in May when it released a tool that enabled system admins to determine which cloud services were being used within a company by monitoring network traffic. If a department was sharing files through Dropbox, for example, IT could easily find out.

The new Cloud Program expands on this service by adding tools for monitoring, managing and deploying cloud services. The first release focuses on four types of cloud service: hosted e-mail, online backup, file sharing and cloud servers such as Amazon EC2. Microsoft Office 365, Google Apps, and Rackspace’s cloud and e-mail services have all been integrated into Spiceworks already. The company plans to expand into other types of cloud service, such as CRM, over the next year.

Hallberg says Spiceworks will continue to expand its offerings with the goal of becoming a true “single pane of glass” for IT admins. Mobile device management will be another area of expansion, as might purchasing and vendor relationship management.

Will this create tension between Spiceworks and advertisers such as Vmware? VMware just launched IT management and cloud service account management tools as part of its vCenter Operations Management Suite and the VMware IT Business Management Suite products earlier this year, but Hallberg says this sort of thing has never been an issue. He says Spiceworks is vastly different from the competition in two distinct ways: it’s free, and it oversees a community of 2 million IT professionals.

“What Spiceworks did was connect IT pros who were working alone or in small teams to let them be part of a larger community,” he says. They have come for the free tools, but what may keep them around is that chance to connect with other people who share their concerns — even if they wind up buying a competing solution from one of Spiceworks’ advertisers.


While we all work hard are insuring that the Microsoft patches are applied monthly we are doing very little if anything at all to patch other applications that pose a larger threat.  The information in this document is from the Microsoft Security Intelligence Report Volume 13 (January through June, 2012), issued in October 2012.  This data shows that exploits are being targeted at other non-Microsoft applications; the reason is that companies have accepted the fact that Microsoft applications must be patched.  When it comes to non-Microsoft applications it becomes more difficult and costly to keep these patched, so it is not done.

Figure 6 shows complexity trends for vulnerabilities disclosed since 2H09. Note that Low complexity in Figure 6 indicates greater risk, just as High severity indicates greater risk in Figure 4.




Figure 8 charts vulnerability disclosures for Microsoft and non-Microsoft products since 2H09.

Figure 9 shows the prevalence of different types of exploits detected by antimalware products each quarter from 1Q11 to 2Q12, by number of unique computers affected.



Document parser exploits are exploits that target vulnerabilities in the way a document editing or viewing application processes, or parses, a particular file format. Figure 14 shows the prevalence of different types of document parser exploits during each of the six most recent quarters.




So as this data shows, concentrating purely on Microsoft patches actually does very little at minimizing your attack surface.  We run a very wide variety of applications as well various version levels both on workstations and servers.  Using anti-virus helps but this is a reactive approach to what is known; the risk comes from the unknown exploit.  It could take up to a month for anti-virus vendors to release a signature that will detect a new exploit; a lot of damage can be done in a month.  We need to start scanning and reporting on all out of date applications so that proper effort can be allocated to remediate these issues.