Steve's Security Blog | @northvein

Introduction To date, I've facilitated senior level reporting on the performance of security driven activity in almost every position I've held. For the best part, this has been a green-field requirement which has meant that I've been able to set out and make a case for reporting that drives improvement in the real-world security posture (RWSP) of my charge from the get-go. I believe, no matter what else is going on, that if you can inform the changes and behaviours that lead to your organisation protecting itself, you've had a good day. Secondly to driving improvement, KPIs and metrics provide your leadership team with the insight and visibility into the efforts and valuable work of your security team which might otherwise be hidden from them.  There is no shortage of materials and musings about the importance of security KPIs however, despite this, many organisations struggle in a number of ways to define and/or employ them. I thought then I'd share some

On July 27th, 2017 the OIS (Open Information Security Foundation) & the Suricata project team issued a major update release to the Suricata IDS/IPS engine.  The summary of improvements includes: Improved Detection - based on feedback from the rule writing teams at Emerging Threats & Positive Technologies the project added improved inspection for HTTP, SSH & other protocols Improved TLS detection & logging, & the addition of NFS support.  Improved EVE JSON logging functionality including inner/outer ip logging for encapsulated traffic & extended HTTP request/response logging RUST support  Major TCP stream engine update  Full details of the release can be found here .      I've been a big fan & user of Suricata for just over a year now & I've previously written about deploying Suricata on Centos (or RHEL)  here . The project still maintains some of the best documentation for an open project I've come across & you ca

My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.

There are a couple of reasons why you might want to install Kali linux on an inexpensive hardware platform that you can deploy, abandon or hide somewhere. An obvious use might be to serve as an 'Evil AP' in support of wireless assessments. Kali linux is officially supported on a number of low-cost  ARM based  devices, with Offensive Security maintaining minimal, streamlined pre-built images which can be copied across to an SD card, installed and then configured with the packages you need for the task you have in mind.  Installing Kali Linux on a Raspberry Pi  Offensive Security maintain good documentation  here . For the our needs: Download and verify the image from  here . $ shasum -a 256 /Volumes/SANDISK/kali-2017.01- rpi2.img.xz DD the image over the SD cards $ sudo dd if=kali-2017.01-rpi2.img of=/dev/disk2 bs=1m Insert the SD cards after the dd has completed and boot the rpi. I had a DHCP reservation set on my router so I knew what IP it would get. I al

A well known high street supermarket received a fine from the Information Commissioner's office (ICO) yesterday. I had a look at the details and you can too.  It's not a vast sum but it should be cause for embarrassment. It should also be cause for concern for anyone working there who has anything to do with data protection given the approaching changes to the ICO's powers coming next year with GDPR .  There are still a lot of people who think GDPR will be the next Y2K - I've literally heard two separate groups of people say this. I think a lot of people think that the ICO is a paper tiger and if you pushed them for an example of their actions they'd at best recount TalkTalk's record £400,000 fine. I thought then it might be interesting to review all of the monetary penalties the ICO has issued since the start of this year up to yesterday. All enforcement notices can be viewed online  here .  ICO Monetary penalties - 01/Jan/17 to 17/Jun/17, Introdu

The media coverage of the recent major systems outage at British Airways is some of the worst I can recall reading. Essentially a national institution working in an industry synonymous with resilience, safety and preparation is making a drama out of a crisis and many technical practitioners are still trying to understand what happened.  In the most recent reports, it sounds like a contractor accidentally switched off the power in their datacenter and with it, toppled the first domino in a series which lead to 750,000 passengers being unable to fly and an as yet to be calculated compensation bill.  "It was not an IT issue, it was a power issue" -  British Airways  Nothing in the information they’ve released so far really explains how this course of events came to transpire nor does it provide any confidence or assurance around BA’s approach to business continuity planning (BCP) or disaster recovery (DR). Essentially, someone was able to gain access to and then p

Distributed denial of service (DDoS) attacks are now an established aspect of the threat landscape. The number of attacks reported continues to rise, as does the recorded peaks for the traffic they can deliver. ‘Booter’ services, the prevalence of poorly configured IoT devices and access to command and control operations for botnets like Mirai mean threat actors need relatively low levels of sophistication or competence to disrupt or completely disable unprepared organisations. Even those organisations that already have countermeasures in place must remain alert and aware to threat actors who adjust their tools, techniques and procedures (TTPs) to circumvent controls or exhaust and overwhelm defenders.  Booter Service “There is a lack of ultimate control associated with this attack. You can’t prevent attempts, and likely need to rely on help from some upstream allies to defend if/when attempts are made. If someone points their botnet at you, hopefully you have a p

If your inbox or social media feed is anything like my own you'll have probably been inundated with a stream of marketing material following the WannaCry(pt) outbreak last week. Amongst all the vendor bragging, claims and offers of free trials and assessments I've seen a lot of good advice from security professionals. The message is clear enough to sum up in one sentence for technical staff - patch, manage your network, do the basics . For security practitioners, this advice is a message they've repeated enough to become mantra. I thought then it might be useful to look at this recent event through a different lens and provide a pocket guide for Business Managers looking to assess the situation and provide Business Owners with an understanding of their exposure. This can be used then to identify what help (if any) your technical teams need.  Clearly, a disconnect still exists in many organisations between risk owners and technical staff.  Below is a series

Why it's a good idea There are a myriad of reasons to test in peace time, the controls and processes which collectively represent your incident readiness. These include: Validating your Incident Readiness - testing can confirm that you are as ready as you think you are, and that nothing has changed resulting in an end state which prevents you from initiating IR.  Assess Controls Coverage and Identify Gaps - testing can confirm your controls coverage is adequate as well as highlighting those gaps which you'd rather not have in the event of a real issue. Demonstrate value of investment - you've probably spent a lot of time and other people's money acquiring controls, attracting talent and preparing for the eventually of an incident. Internal stakeholders will likely already be looking for assurance that their investment has been worth while.  Demonstrate investment and commitment to interested parties - internal stakeholders considered, you'll lik