Spend Your Infosec Dollars on the Things that Work Best First

If your organization is like most of the ones we deal with every day, you have a lot of information security controls that you are being pressed to implement, but you only have a limited budget to implement them with. How are you supposed to decide where those very scarce dollars go? I recommend implementing those controls that have proven their worth through time and trial first.

Just about nine years ago, early in the Obama administration, there was a big push to improve information cybersecurity across the board. Infosec experts from all disciplines shared ideas and information, debated strategies and mechanisms, and developed what was then called the Consensus Audit Guidelines. Around this same time Brent Huston and the MSI team developed our 80/20 Rule for Information Security. The goal of both of these endeavors was the same: rank infosec controls hierarchically according to necessity and effectiveness. This is, of course, an ongoing process subject to disagreement and periodic changes in thinking. But here are some of the primary controls that we champion.

Inventories of hardware and software assets. You can’t protect your network if you don’t know what is on it. Ensuring that your organization has mechanisms and processes in place to constantly monitor network inventories is well worth the cost. We also recommend that organizations leverage inventory processes to map data flows and trust relationships among network entities. This information can help you spot weak points in your security posture and is very useful in business continuity planning.

Configuration control and security maintenance. I can’t tell you how many network compromises that I have seen that were the result of systems that were misconfigured, or that were missing security updates. All network entities should be fully “hardened” and included in the security maintenance program. Configuration and security maintenance processes should be fully documented, maintained and overseen. Forgetting to change one default administrator password or to apply one security patch can mean the difference between security and compromise. Although these processes are labor-intensive, there are devices and applications available that can help your personnel to keep on top of them.

Vulnerability and security assessment processes. Humans are fallible. Even if you have good configuration and maintenance processes in place, you still need to check and make sure that nothing has fallen through the cracks. You also need to see if there are any access control problems, miscoding in applications or other vulnerabilities on your networks. This means regular vulnerability assessments of networks and applications. If your budget allows it, assessments such as penetration testing and social engineering exercises can also be very illuminating.

Privileged access control and monitoring. Attaining administrative-level access is the Holy Grail of cyber criminals. If you can achieve domain admin access privileges, you pretty much have the keys to the kingdom. So, ensure that privileged access is fully controlled and monitored on your network. Admins should use separate passwords for admin duties and simple network access, and adding/changing admin accounts or out-of-bounds admin activities should create alerts on the system. This is inexpensive to implement, and more than worth the effort.

Security monitoring and egress filtering. One of the processes that everyone seems to have trouble doing well is security monitoring. This is probably because it is at once a daunting and boring task. However, security monitoring is essential. It also demands a good deal of human participation. Although we strongly advocate using tools to help aggregate, parse and supply basic analysis of log data, only humans are fit to do the final analysis. One very effective part of this task is egress filtering. Egress filtering is the practice of monitoring and restricting the flow of information outbound from the network. This control is relatively easy to implement and can save the day by stopping large-scale exfiltration of data from your network in the event other security controls have been circumvented.

Security training and awareness mechanisms. It should always be remembered that information security is a human problem, not a technological problem. Because of this, your own personnel can either be your greatest security threat or your greatest security asset. Security training (accompanied by employee buy-in to the security program) can help assure that your employees are security assets. Security training should be provided to new hires and all employees on a recurrent basis. Awareness reminders should reflect real-world threats and should be provided on an as-needed basis. In addition, we recommend high-risk job titles such as system admins and code developers should be provided with security gap training to help ensure that they have all the skills needed to prevent and detect security incidents in your environment.

The controls mentioned above are certainly not all that are needed for a well-balanced information security program, but they do carry a lot of bang for the buck. So, make sure you have these primary controls in place before you waste your security dollar on flashier, but less effective mechanisms.

Because you know it’s all about them apps, ’bout them apps…

Know thyself – Socrates

I ran across this link last week, from SANS, and it’s one of the better basic checklists I’ve seen for application security. With all due respect to OWASP, their information is more technical, and useful for practitioners – their testing guide is here. For the CIO level crowd, I’d highly recommend a look at their top 10 for 2017. And a serious nod to Bill Sempf – if you haven’t heard his talk about care and feeding of developers in the security space, go find it!

Since this missive was designed to have pretty pictures and convince you to send your developers to the SANS courses listed, it’s a nice start for security practitioners that may need to work with developers, but aren’t 100% versed in application security. Some of this info is more basic than OWASP’s, as well – which does not diminish it’s importance. Let’s talk about what they list here, and why it’s important.

Error handling and logging:

Don’t display the specific error messages generated by your programs/architecture, and don’t allow unhandled exceptions – both of these items can display information about the underlying architecture of your application. Attackers can leverage this information and any associated vulnerabilities to compromise the application. If the user creates a condition that generates an error, offer them enough information to fix the problem – nothing more, nothing less.

Don’t allow specific framework errors…”the X program says you broke Y variable” – suppress them. Allowing these errors discloses potentially useful information about the framework and architecture to attackers.

Log all the things! Log authentication attempts – successful or not. Log privilege changes – successful or not. Log all administrative activity, or administrative attempts. Log any and all access and access attempts to sensitive information.

Log all the things….except when you don’t. Don’t log sensitive information. Log the admin attempts, but not admin passwords. Don’t log any information that falls under HIPAA, PCI, or other regulatory spheres.

Store logs securely. Plain text in an internet facing share? Not the world’s best idea. Encrypt, secure, and protect against data loss and tampering. If you have a data retention policy, make sure that logs are included and the policy is followed.

Data Protection:

Turn ON HTTPS, turn OFF HTTP. The same URL should not be accessible via HTTP. Get your HTTPS certificates from a respectable CA – no self-signed certificates. Accepting them is bad practice, and you run the risk of the impression that you haven’t done your due diligence, AND of conditioning your users to bypass this simple security measure.

Disable weak ciphers. Don’t wait for the 4,732 vulnerability, and don’t argue that these vulnerabilities are difficult to exploit. The NEXT one might not be. Get your SSL sanitization house in order.

Don’t allow auto-complete. Yes, some browsers will ignore things – their bad practices shouldn’t be used to justify your bad practices.

Avoid storing user info. Tokenize when possible. If you have to store password, encrypt, salt, spindle, mutilate and fold. There’s no such thing as TOO safely here.


Have a consistent, repeatable process for…application development, testing, change control. Include security requirements at the beginning of the design – don’t try to shoehorn them in after the fact.

Review, review, review. Code reviews. Design reviews. Security testing – as you go, not at the end. Harden the environment per best practices.

Train your developers on security! Work as partners, not as the guys who make stuff and those security guys that always say no.

Have an incident response plan. TEST your plan, evaluate your plan, use your plan. Do not wait til something DOES happen to discover the holes in your plan. Keep your plan updated, as staff contacts and responsibility changes. Do disaster recovery exercises.


Hard coded credentials. Don’t. Just don’t. But I need to because….no. You do not. There are safer ways to do this.

Have a strong password policy. Have a strong password reset – do not accidentally disclose things like the validity of an account via the password reset mechanism. Do have a password lockout policy – unlimited attempts is an invitation to a brute force attack.

Again, make sure your error messages aren’t handing valuable information to attackers.

Run applications and middleware with the least privilege required. Database passwords are gold – do not put them in code. Guard them. But I need to because…again, you do not. Do it right, don’t do it over.

Session management:

Put a logout button on every page. Every. Page. Then, invalidate the session once they’ve logged out – no back button resumption of the session.

Randomize your session tokens, so that they are not vulnerable to predictive attacks. Regenerate them as user permissions change. Unless the application requires multiple connections – and you have a legitimate need to DO this – destroy tokens in multiple sessions. Don’t leave yourself open to session cloning.

Cookies. And not the chocolate chip kind. Set the domain and path correctly. Use secure cookie attributes, and expire cookies as appropriate.

Log users out automatically on reasonable idle periods. Implement an absolute logout – there are few, if any, legitimate reasons to be logged in forever.

Input & Output handling:

Whitelist over blacklist. Only accept data that meets the criteria for your application.

Validate, validate, validate. Validate uploaded files – consider all uploads as suspect, and sandbox accordingly. Validate input sources.

Follow the OWASP recommendations, many detailed in the link above, for input, output, and safe transport.

Access control:

Apply access controls consistently. Use “gate keeper” technology, so that all requests are validated and verified, whether the user is logged in or not.

Don’t allow unvalidated forwards or redirects. This gives an attacker potential capability to access content without authentication.

Least privilege rules. Make access control mandatory, don’t elevate rights when you don’t absolutely need to. Don’t use direct object references to validate access.

There’s a lot more than I’ve include here….don’t understand these? Need more info? Talk to your developers. Buy ’em a burger. Buy ’em a beer. Become the guy who listens, and attempts to understand….not the jerk that always says no. If you make an honest effort to understand them, and to help them understand you, you’ll both be better for the attempt.

Got a development war story? Got a good development story? Please reach out – @TheTokenFemale on Twitter. Let’s keep the conversation going.

Vendor Management: Are You Doing all of the Right Things?

In the not-so-distant past, organizations let service providers connect to their internal networks without a great deal of concern. At that time, attackers could generally find a more direct route into business networks, and although the security vulnerabilities inherent in 3rd party connections to networks were known, they received much less attention by users and regulators alike than they do today.

Now, networks are very much better protected, especially those segments that directly face the Internet. Their improved outer armor has forced attackers to come at networks in more indirect ways, such as through trusted service provider connections. Attackers reasoned that if your target’s outer security is just too good, maybe concerns such as the company that hosts their operating software suite is not so robust. Their reasoning proved to be correct. In fact, this attack vector worked so well, that governing bodies have had to tighten security requirements accordingly.

In the present environment, organizations such as financial institutions and medical concerns must be able to demonstrate due-diligence in their establishment and maintenance of vendor/3rd party relationships. They should always remember that they, as the parent organization, are ultimately responsible for the security of their client information; it doesn’t matter if the security breach originated with the service provider or not. Without mechanisms such as documented due-diligence processes, contractual security agreements and cyber-insurance policies, organizations can be left to shoulder the burden alone.

This trend toward vendor management security, and indeed toward more stringent information security regulation across the board, shows no signs of slowing. Quite the opposite. In 2017, 240 cybersecurity-related bills or resolutions were introduced in 42 states. In 2016, 28 states introduced cybersecurity-related legislation; 15 of these states actually enacted the legislation. In 2015, the numbers were 26 states and eight pieces of legislation enacted. Quite an increase in just a few years.

All of this regulation is having a direct effect on not only hosting organizations, but the businesses that provide services to them. Vendors are increasingly being asked to demonstrate the security of their cyber-systems and processes by both present and prospective clients. They must be able to show that their information security program is just as effective as that of the parent organization or no job.

The upshot of all of this is that NOW is the time ensure that your vendor management program meets all of the recommendations and regulations that are currently emerging. Playing catch-up is never a good idea.

First of all, the program should be based on risk. An assessment should be performed to identify risks to the organization associated with the use of 3rd party providers. Once that information is in place, a framework of policies and procedures designed to address these risks should be developed and implemented. Responsibilities for undertaking these tasks should be assigned to individuals, and of course, the whole program should be fully documented and maintained. Senior management should monitor the program to ensure that it is being implemented as designed, and that it is effective in its operation.

Companies should ensure that contracts with service providers are clear, comprehensive and that information security requirements and responsibilities are fully defined for all parties concerned. Results of IT audits and security assessments should be accessible and reviewed at least annually. Any significant weaknesses or security problems uncovered by these assessments should be addressed, and the effectiveness of their remediation should be monitored.

So, don’t wait. Review your own vendor management program today and see if it meets all of the current and likely future requirements. Having a compliant program in place is not only good information security, but may even be the differentiator that gets your company a few extra clients.

Scope….or, why can’t you just send me a form?

Scoping….the process of gathering data to put together a statement of work for a client.

To be 100% honest, I love scoping. And MSI doesn’t scope via form letter, although I’ve seen a variety of companies take this approach.

Is it because I want to talk to you? Well, partially – I do enjoy the vast majority of our clients. But here’s where I think the “fill in the form” plan fails.

First, when you’re not engaged in conversation, you’re viewing the client requirements with an eye towards putting a peg in the hole of one of your offerings. Even if that ends up to be a square peg in a round hole.

Second, the conversation often takes many twists and turns. As we talk about MSI, and our capabilities…it will happen that what a client asks for isn’t precisely what they need. We can offer a different service, and help them get to their end goal in a different way. And this isn’t always more services…it’s equally likely that it will be less, or a custom variation on a service we already have. The majority of clients don’t fall into “canned” services….and it’s refreshing to talk to them when they’re also engaging other vendors simply dropping them into a slot.

So the first question of any scoping conversation is – what is the purpose? What problem are you trying to solve? Is it regulatory – you have to have X assessment? Is something broken? Or are you trying to become aware of some security gaps – whatever they may be.

That’s the springboard of the conversation, helps us get to know you, and helps you to get the right mix of services. It’s personalized, customized, and based on individual attention from our sales and technical staff.

The next piece of serious hands-on attention comes when we’ve gathered the details for the engagement. Does the information provided make sense? If you’re a financial services firm, and you’ve chosen to be measured against HIPAA, is that really the right choice for you? The push-button approach may miss that.

Another item that’s fairly common is typos or inaccurate information in the network space provided. So we’ll do passive recon on the information provided. Does the IP space really belong to your company? Are you using hosting via AWS, which requires an additional penetration test form? Are you using a host like Rackspace that has additional contract stipulations on penetration testing?

Throughout the engagement, there are more personal touches. Via our project management portal, the engineers working on your engagement touch base every day, every other day as work progresses. If a highly critical issue is discovered, all work stops, and the engineers will get on the phone with you. We don’t believe in a situation where a critical vulnerability is only shared in a report, weeks after the discovery.

Now the reports are in your hands. We keep those reports for ~90 days – after that, all reports are purged from the system. During that 90 days, we can supply replacement copies – we can also supply the password used for encryption, if you’ve misplaced it. Sanitized copies of reports can be produced as well, for dissemination to vendors, clients, regulatory bodies, or any interested parties that you need to share this information with – a small fee may apply.

At the end of the day, the question is – who did you help today? It’s rare for MSI to end the day where we can’t answer that question in multiple avenues. It’s one of my favorite things, and we’d love to help you!

The hotel wifi is encrypted, it’s all good…No?

One of the modern amenities we always look for when booking a hotel room is that it has wifi. However, there are considerations and issues.

When using the hotel wireless network, you are a part of a network with many hundreds of other hotel guests. Innocent and anonymous, family, corporate, hotel guests. And possibly hackers and generally anyone up to no good. They could potentially snoop and view your unencrypted browsing activity. They could scan your laptop and leverage an existing vulnerability.

Traveling from one hotel to another, it can be tedious to enter the hotel wifi passcode to your 10 wireless devices to get connected each time you book into a new hotel (your devices, your spouse’s, your kids’).

You may think the hotel wifi is encrypted because you had to enter a passcode to get connected, but that is not necessarily true. The wireless network may simply require you to login using your room number and last name in order to be authorized to get connected, but that does not necessarily mean the connection is encrypted.

You could use a VPN to encrypt all your internet activity, but you still have to set up all your devices to connect to the hotel wifi first. And you need to have a VPN subscription/setup.

So, how can we secure our wireless connectivity to the hotel wireless network a little bit more?

One of the easiest solutions is to use a travel router. They range in cost from $30 to several hundred. They could be as small as a matchbox or a pack of cards. They could have all the features of a home router, and more. They can be setup as a router, a bridge, a wireless repeater, an access point, a firewall; some even have a SIM card slot so that you can connect to a cellular network and have multiple devices share the internet connection. Others can be setup as a file server or even have a battery, so it can be a free-standing device with no cable attachments.

On a recent multi city trip, I brought along one of these – a RAVPower FileHub Plus, reviewed in this article. I’d set it up before traveling into bridge mode, with my own non-broadcasting SSID with WPA2 encryption. I connected my laptop, phone and tablet to it, and saved the wireless connection details on each device.

After checking into each hotel, I’d connect my laptop or tablet to the router device, and setup its WAN connection – if I connect the device to the hotel room Ethernet, then there’s no need for this step. Otherwise, I would setup the device to connect its WAN to the hotel wireless. Then immediately, all my other devices would have internet connectivity, through my own router, encrypted.

If the hotel wireless network requires a login first, like you have to enter your room number and name, you would do that once, from a browser on any of the devices, then all the other devices would immediately have internet access. Easy. Secured. (Well, as secure as WPA2 can be.)

Connecting to a hotel wireless connection has some considerations – it may not be encrypted and you are connecting to a network where your device is easily visible to all several hundred others. Take some simple precautionary steps to create an additional layer of security around your devices.

Be safe…

Ensure You Give The Client The Right Services At The Right Time

Many of our clients come to us looking for direction on the right cadence for implementing security initiatives; what’s first, what’s next and how should I space these services out to best fit our budget and needs?. These are questions that many of our clients struggle with.

As with any initiative, it is imperative to allocate resources towards activities that not only get the job done, but that also provide the “most bang for the buck.” We have found that, in many ways, information security initiatives will stack in a logical order of what we like to call the “rhythm of risk.”

We suggest that a good place to start the conversation is with the “must haves,” which means understanding compliance with regulation and all that implies. Many organizations must be able to positively check certain questionnaire boxes in order to maintain their ability to operate in regulated industries or to partner with certain companies. In these cases, achieving and maintaining specific security benchmarks is like giving companies a “hunting license” for certain types of partnerships.

This process really starts with understanding the gap between where companies are and where they need to be. This is the basis of formulating effective compliance strategies. The idea is to come to a complete understanding of the organization’s security posture and needs up front; an approach that helps ensure that security dollars are spent wisely and achieve the desired effects. Many times we see organizations rush through this step, spinning their wheels on the path to compliance by either misappropriating resources or by simply over spending. Each client and situation is a bit different; a successful approach leverages understanding what needs to be done in the cadence that stacks logically for that particular client.

Another pivotal factor guiding our recommendation starts with the maturity level of the organization’s security program. For a security program that is less mature, it is important to focus on not only those security mechanisms that most effectively address the risk, but also those that are the least expensive and easiest to implement.

We gauge maturity based on the NIST Cybersecurity Framework as it applies to the particular organization’s security posture. The core of the NIST framework sets out five functions: Identify, Protect, Detect, Respond and Recover. Within each function are related categories with activities to be rated and applied. For example, under Identity are Asset Management, Business Environment, Governance, Risk Assessment and Risk Management Strategy. These blocks stack on top of each other and layout a path based on a hierarchy of risk; what is most likely to occur weighted against the impact to the organization.

In addition to an organization’s maturity, it is important to consider the cyber-economic value of the content they manage. This usually correlates with proprietary or sensitive personal information held by companies. The higher the value of the data held by an organization, the greater the lengths hackers will go to attain it. As usual the market will drive the velocity and veracity of breach attempts along with the level of criminal attracted to them. Therefore, the value of your organization’s information should have a direct correlation with the amount of time, energy and investments needed to protect it.

Hotel Wifi = Raw Internet. A true story.

A friend on a road-trip recently had an experience using hotel wifi that was a little surprising.  For several hours, while on the hotel’s wifi, her machine was effectively on the open Internet with no intervening firewall,

Her laptop was instrumented with one of MSI’s “honeypoints“, a lightweight honeypot that emulates various services and reports back to a central console when these “fake” services are interacted with, possibly by an attacker.

Over the several hour period while on wifi, the following Internet probes (and in some cases clear attacks) were seen.

The attacker IP and the port probed are in bold below:

  • Jan 15 18:03:43 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 443 at 2018-01-15 18:03:42 Alert Data: Connection Received  ==> https probe
  • Jan 15 18:03:49 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 443 at 2018-01-15 18:03:48 Alert Data: GET / HTTP/1.1#015#012Host:
  • Jan 15 18:03:49 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 443 at 2018-01-15 18:03:48 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2215.txt
  • Jan 15 18:23:02 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 3389 at 2018-01-15 18:23:02 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2216.txt  ==> Terminal services probe from Sweden
  • Jan 15 20:06:21 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 443 at 2018-01-15 20:06:20 Alert Data: Connection Received
  • Jan 15 20:06:29 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 443 at 2018-01-15 20:06:28 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2217.txt
  • Jan 15 20:20:36 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 23 at 2018-01-15 20:20:35 Alert Data: cat /proc/mounts; (/bin/busybox BBFMC || )  ==> Port 23 (telnet) IOT attack from Mexico. Likely from a Mirai botnet variant.
  • Jan 15 20:26:22 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 1433 at 2018-01-15 20:26:21 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2218.txt  ==> Microsoft SQL Server probe from Guam
  • Jan 15 20:26:22 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 1433 at 2018-01-15 20:26:22 Alert Data: Connection Received
  • Jan 15 20:26:33 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 1433 at 2018-01-15 20:26:32 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2219.txt
  • Jan 15 22:03:44 HPSS012 HPSS Agent: Tarsus.local received an alert from: on port 1433 at 2018-01-15 22:03:43 Alert Data: Non-ASCII Data Detected in Received Data.#012 File saved as Alert2220.txt  ==> SQL Server probe from U.S. 

These alerts were being reported to the console from the IP address assigned by the hotel to my friend’s laptop:

That IP is registered to:

NetRange: –
NetName: WAYPORT-63-140-182-NET

Wayport is an ATT wifi service providing “hotspots” to various large companies.

These are the types of probes and attacks a box on the open Internet can expect to get. It’s become like cosmic radiation – pervasive. I discussed a previous related event here:  https://stateofsecurity.com/?p=4126

What is interesting in this case is the fact they happened at all.

The hotel was part of a major chain.  The common assumption is they are watching out for their guests to ensure a “safe” wifi environment…and in general they are.

But – there maybe some fine print.

Some hotel wifi agreements apparently specifically allow you to request “advanced” connectivity options, in some cases as a result of wanting to do VPN from your laptop.  The result of those decisions may lead to a public Internet address and full Internet exposure of your device .

So – no Internet firewall but the one you bring with you.

Bottom Line:

  • Regardless of the cause, you should expect the worst from “free” wifi.
  • Assume full Internet exposure and have a software firewall enabled that blocks unsolicited inbound traffic.


Quote from that last:

“Most private LANs use network firewalls to defend trusted insiders against Internet-borne attacks.This is not necessarily true in hotel broadband LANs, where topologies and security practices vary widely.For example, some use private IP addressing, while others assign each user their own public IP address to facilitate VPN tunneling. Users may assume they are insulated from outsiders, but really have no idea whether any firewall lies between
their notebook and the Internet. Notebooks that do not firewall themselves or that use certain applications that open holes in firewalls could thus be exposed to intrusions from the far side of the Internet.”

Spectre and Meltdown and Tigers, Oh my….well, maybe not tigers….

On January 3rd, three new vulnerabilities were disclosed. These vulnerabilities take advantage of how various CPU’s handle processing in order to return a faster result.

The technical details for Spectre and Meltdown are addressed by the papers linked to their names above. And some POC’s from the Project Zero team.

A few observations on how the industry is addressing this issue…and a few points of interest that I’ve found along the way. First, let’s note that the CVE’s for these are 2017…when in 2017? We don’t know. But the catchy domain names were registered around the third week in December, 2017.

The full vendor matrix at CERT – this is always worth watching, and there are some useful tips for cloud implemenations via Amazon and Microsoft Azure:

Operating system manufacturers:


  • Will release updates for Safari and iOS in coming days. Some speculation that iOS on Mac’s that is 10.13.2 or higher has some protection from one or more variants – not verified
  • https://support.apple.com/en-us/HT208394



Some antivirus solutions are causing blue screens after application of these patches:

This is particularly interesting to me – the browsers. I did not expect to see the browser patch bandwagon to be as rapid as it has been:


Internet Explorer


  • Will be addressed in approximately the same timeframe as Apple iOS patches – current ETA unknown


The long and short. Is the sky falling? Probably not. If you have solutions that are hosted with a cloud provider, check in with them. What are their recommended mitigations, and have you implemented them? In an enterprise environment, do your due diligence on patches. Patch in your test environment first, and research your antivirus solution for potential impact.

And I believe I’m paraphrasing the excellent Graham Cluley. Calm down, make a cup of tea – although mine is salted caramel coffee. Patch during your normal cadence for critical patches, and keep the ship afloat!

GDPR: It’s Coming Soon, and it has Teeth!

The General Data Protection Regulation (GDPR) was passed in May of 2016 and comes into force exactly five months from Christmas Day on May 25, 2018. The aim of this regulation is to strengthen and unify personal data protection for all citizens (and residents) in the European Union, and to allow them to control their personal information (data). This personal data must be protected according to a number of articles in the regulation, and also applies to non-European organizations that process the personal data of EU citizens.

According to the European Commission, personal data is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” As can be seen, this list covers just about everything!

One of the big requirements that is going to affect US organizations that do business with EU persons is their “right to be forgotten.” This means that EU citizens and residents can request that their personal data be removed from corporate databases in a timely manner. If this cannot be done, they have the right to know exactly why not.

Unlike HIPAA/HITECH, non-compliance with the GDPR can lead to some major league fines: in some cases, up to 20,000,000 Euros or 4% of the annual worldwide turnover of the preceding financial year of the organization (whichever is greater). I think that fines on this level show just how seriously personal privacy is being taken in the EU.

This new regulation just illustrates the pressing need for organizations to know how data flows across and is stored on computer networks. If you know exactly where personal data is and how it flows, you can deal with it. If you don’t, better get ready for some trouble ahead!

You need your own “cop on the beat”: Why security scanning services are not enough.

He knows what “normal” is. Source: Wikimedia Commons

I have repeatedly had the experience of performing external vulnerability assessments and discovering significant issues that were not being called out as such by the regular commercial assessment services employed by the client organization.

I recently discovered a case where active web server logs were freely available on the open Internet .  The usual information – source IP address, target resource, and status codes –  were all available.

Example: – – [02/Aug/2017:10:09:07 -0400] “GET /client/chat.php?id=1%22%20%3E%3C/script%3E%3Cscript%3Ealert%28%27QualysXSSTestPart2%27%29%3C/script%3E&xhash=1 HTTP/1.1” 302 433 “-” “-“ – – [02/Aug/2017:10:09:08 -0400] “GET /index.do HTTP/1.1” 302 301 “-” “-” – – [02/Aug/2017:10:09:10 -0400] “GET /userui/welcome.php HTTP/1.1” 302 311 “-” “-” – – [02/Aug/2017:10:09:12 -0400] “GET /struts2-rest-showcase/orders HTTP/1.1” 302 321 “-” “-” – – [02/Aug/2017:10:08:58 -0400] “POST /rest/json/login HTTP/1.1” 302 308 “-” “-” – – [02/Aug/2017:10:09:14 -0400] “GET /node.xml HTTP/1.1” 302 301 “-” “-” – – [02/Aug/2017:10:09:14 -0400] “GET /user/login HTTP/1.1” 302 303 “-” “-” – – [02/Aug/2017:10:09:15 -0400] “GET / HTTP/1.1” 302 293 “-” “-” – – [02/Aug/2017:10:09:16 -0400] “GET /admin.php HTTP/1.1” 302 302 “-” “-” – – [02/Aug/2017:10:09:16 -0400] “GET /console/login/LoginForm.jsp HTTP/1.1” 302 320 “-” “-”

The highlighted entry is a “cross site scripting” (XSS) test being run over the Internet by the vulnerability management service “Qualys“.

From “whois”

NetRange: –

Anyone on the Internet was able to view these logs and learn of the organization’s use of Qualys and something of the types of tests being performed and what the outcome of those tests were.

All highly useful information to any potential attacker.

Note that the problem here is NOT with Qualys.

The site that allowed these logs to be revealed had no “technical” security problem. Any internal user who was basing their understanding of the external security status of the organization strictly on the scanning service reports would likely have no reason to believe anything was wrong.

Your organization needs at least one knowledgeable and caring staff member whose job it is to know what your organization looks like from the Internet and can see when something is clearly wrong in the same way a neighborhood patrol officer can notice a strange car or a gate open that is normally locked.

You need your own “cop on the beat”.