Workstation Logging Best Practices

Why Workstation Logging Matters

Workstations are important components of any IT infrastructure, and they’re also one of the most overlooked. Often seen as expendable, many organizations fail to see the value of workstation logs, and how they can add to the visibility and detection capabilities of the security team. Workstations are quite likely to be early indicators of attack and malware infections. They are also often super useful in identifying manual attacker behaviors and performing adequate forensics.

Organizations that don’t maintain and organize workstation logs are usually missing out on some essential data and falling short of having across-the-enterprise visibility. This is especially true if you have a decentralized work environment. Simply enabling, configuring, and properly aggregating workstation logs can give you a huge forensic advantage. Adding real-time or near real-time log parsing and event alerting makes that advantage a superpower.

What to Log

The security events an organization captures on their workstations depend largely on industry-specific needs and relevant legal requirements. However, best practices call for several events that must be recorded and logged to ensure user accountability and to help organizations detect, understand, and recover from malicious events. These events include:

  • Authentication successes and failures for all users and services
  • Access control successes and failures for all users and services
  • Session activity, including files and applications used, especially system utilities and Powershell, if applicable
  • Changes in user access rights or privileges

The Bottom Line

Get busy logging on workstations. Make sure the logs are properly configured, aggregated, and processed as a part of your detection capabilities. Don’t view workstation logs as throw-aways. Instead, see them as a powerful lens for early detection, forensics, and attack recovery.


Thanks to @TheTokenFemale for pointing out that the logs should be sent somewhere off the system. I meant that by aggregation, but to clarify, the logs should be sent, processed, and archived using a log aggregation system or toolset that includes proper chain of evidence handling, alerting, and heuristics. It should also store and archive the relevant logs according to best practices and legal and regulatory guidance. 

Data Protection Becoming More Important all the Time

Data is the mountain of unorganized fact that inhabits our computer systems and networks. It is analogous to unrefined ore in mining: we mine ore and then process it until we end up with useful metals. Similarly, we mine our computer networks for raw data and process it until we end up with useful information.

It is amazing what information we can glean from seemingly innocent and unrelated facts! People can combine bits of data and deduce who we are, where we live, how we shop, how many kids we have and a plethora of other information that we don’t really want to be common knowledge. This is true not only on the personal level, but on the business and government levels as well. Hence the rise of laws like GDPR, the California Consumer Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and the Colorado Privacy Act. We can expect more privacy and data protection laws from more states and countries in the future. To address these problems, it is very important for organizations to develop and maintain a data management policy and the processes necessary to carry it out.

Among the most important of these processes is data inventorying. A data inventory (or data map) should fully describe the data asset and should include such information as the data’s name, contents, ownership, classification (sensitivity level), retention factors, origin, and other considerations that are important to the organization. Setting up such an inventory may be a daunting task, but once in place, will greatly simplify complying with regulatory requirements and other data management tasks. Along with data inventorying, it recommended that data flows should be tracked. Knowing what data you have and where and how it flows across the network is vital to protecting it.

Another important consideration in data protection is ensuring access to specific data is limited to only those individuals with a legitimate need for that access. This is where access control lists come into play. Access control lists should be strictly maintained and reviewed regularly. It is important to adjust these lists immediately when individuals change jobs within the organization, quit or are terminated. It is also highly desirable to employ strong access controls such as MFA to ensure that the person who is accessing protected data is indeed the person they claim to be.

Another way to protect data is through the use of encryption. Encryption is highly effective in protecting data if it is implemented correctly. Data should be encrypted when at rest and when it is being transmitted across networks. This is especially important in keeping ransomware attacks from becoming devastating. Even if attackers gain access to private data on your system, encryption means they can’t actually read it. This limits their attack to availability only, and eliminates compromise of confidentiality, which can save the organization from regulatory and legal penalties. Strong encryption algorithms should be employed, and a usable and secure key management system should be employed. Encryption keys should be among the most highly protected data assets you have, and ideally should be air-gapped from the rest of the network.

Data backups should be made regularly depending on business requirements of the organization. Backups should be stored in more than one location and should be protected as diligently as information on your production network. Backups of sensitive data should be encrypted and tested on a regular basis.

In addition, access to sensitive data, it’s modification and disposal should be logged and monitored. This should include access to encryption keys and security logs themselves. Protecting and managing data is not easy, but will provide your organization with a bounty of advantages that could help your reputation and save you time and money in the long run.

About the Cyber Incident Reporting for Critical Infrastructure Act of 2022

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was adopted in March of 2022 and is an outgrowth of the National Infrastructure Protection Plan (NIPP) that has been around since 2013. What this means to organizations that are covered critical infrastructure entities it that they will be required to report cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in a very short time frame. Specifically, these organizations must:

  • Report any “covered cyber incident” within 72 hours of determining that the incident has occurred to the CISA
  • Report issuance of a ransomware payment to the CISA within 24 hours
  • Provide CISA with supplemental information when substantial or new information regarding the incident becomes available to the entity

A question that immediately occurs to one upon reading these requirements is, what is a “covered cyber incident” under CIRCIA? Covered cyber incident under this law must meet any one or all of the following criteria. A covered cyber incident causes or creates:

  • “Substantial loss of confidentiality, integrity, or availability” in information systems or “serious impact on the safety and resiliency” of operations
  • “Disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero-day vulnerabilities)”
  • “Unauthorized access or disruption of business or industrial operations” from the loss of services facilitated through or caused by a third-party data hosting provider or supplier

What business sectors are considered critical infrastructure in the U.S.? Critical infrastructure includes the following 16 sectors:

  1. The Chemical sector
  2. The Commercial Facilities sector
  3. The Communications sector
  4. The Critical Manufacturing sector
  5. The Dams sector
  6. The Defense Industrial Base sector
  7. The Emergency Services sector
  8. The Energy sector
  9. The Financial Services sector
  10. The Food and Agriculture sector
  11. The Government Facilities sector
  12. The Healthcare and Public Health sector
  13. The Information Technology sector
  14. The Nuclear Reactors, Materials and Waste sector
  15. The Transportation Systems sector
  16. The Water and Wastewater Systems sector

So, how are you to know if your organization is included under this new law? That is being determined now by the CISA. To define a covered entity under the law, they are considering three factors:

  1. The consequences that a particular cyber incident might have on national or economic security, public health and safety
  2. The likelihood that the entity could be targeted for attack
  3. The extent to which an incident is likely to disrupt the reliable operation of critical infrastructure

These criteria not only cover critical infrastructure organizations, they cover organizations that support the security and resiliency of critical infrastructure.

Luckily, organizations in this sector will have some time to get ready for these new requirements. The deadline for the publication of the Notice of Proposed Rulemaking is not until March 15, 2024, and the deadline for issuance of the Final Rule is slated for September 15, 2025. My advice is to take advantage of this time and prepare!

Enabling ESP32 Secure Boot

What is Secure Boot?

ESP32 has a secure boot feature that allows you to configure the device to only accept signed firmware images from trusted sources. This can be used to prevent unauthorized modifications of your code and data on the ESP32, or to protect against malicious software (malware) attacks.

Why should it be used?

The ESP32 is an open-source hardware platform, which means anyone can modify its design. However, this also makes it vulnerable to malware attacks. If the attacker gains access to the device’s flash memory, they could replace the original firmware with their own version. In addition, if the attacker manages to gain root access, they could install any software on the device without user consent.

Secure boot prevents these types of attacks by requiring all firmware images to be digitally signed before being loaded into the device. Only those images that are signed by a trusted certificate authority will be accepted.

How does it work?

The ESP32 uses a Trusted Platform Module (TPM), which is a special-purpose chip designed for cryptographic operations. It provides a tamper-resistant environment where sensitive information such as passwords, keys, and certificates can be stored securely.

When the ESP32 boots up, it reads the TPM’s public key and checks whether the image file is signed using the private key associated with the public key. If so, the image is loaded into the device. Otherwise, the system displays an error message and refuses to load the image.

How do I enable it?

Secure Boot is enabled by default in the latest version of Espressif’s SDK for ESP32 development. But, on older versions of the SDK, you need to set the “secure_boot” option when initializing the board:

esp_init(0, 0x000002ff); // Initialize ESP32 module at address 0x00000200

esp_set_secure_mode(1); // Set secure boot mode


Why You Should Support CS2AI

What is Control Systems Cyber Security Association International (

The mission of the Control Systems Cyber Security Association, Inc. (CS2AI) is to promote and advance cyber security education, research, and practice to protect critical infrastructure and ensure the safety and reliability of our nation’s control systems.

What does that mean? It means we are here to help you understand how to keep your control system safe from hackers, malware, and other threats. We want to ensure you know what to look for in a good cybersecurity program and how to find it.

We also want to ensure you have access to the best resources available to help you stay up-to-date on current trends and technologies.

Why does MSI support it?

Because we believe in its mission. We believe in making sure everyone has access to the information they need to make informed decisions about their own cybersecurity programs, especially when it comes to ICS.

We believe in helping people learn more about cybersecurity so they can take steps toward protecting themselves and their organizations.

We believe in supporting those who share our passion for improving the world through technology. CS2AI supports the core mission of MSI – making the online world a safer place for all of us.

How do I get involved?

It’s simple – click here to learn more about joining and the benefits of supporting the ongoing efforts to improve global cyber security.

Supply Chain Security Insights

Supply chain attacks are one of the most common cyber threats faced by organizations. They are costly and disruptive, often resulting in lost revenue and customer trust.

In this article, we’ll discuss five insights about supply chain attacks that all supply chain management and information security teams should be aware of.

#1. Supply Chains Can Be Vulnerable

Supply chains are complex networks of companies, suppliers, customers, and partners that provide goods and services to each other.

They include manufacturers, distributors, retailers, service providers, logistics providers, and others.

These entities may interact directly or indirectly via intermediaries such as banks, insurance companies, payment processors, freight forwarders, customs brokers, etc.

Supply chains are vulnerable to attack because they involve multiple parties and interactions between them. Each organization in the chain will have its own risk profile, security posture, and business model. This creates a complex environment for security risks. Attackers can target any part of the supply chain, and often focus on the weakest link, including manufacturing facilities, distribution centers, warehouses, transportation hubs, retail stores, etc.

Attackers can disrupt operations, steal intellectual property, damage reputation, and cause losses in revenue and profits.

#2. Supply Chain Security Must Include All Stakeholders

Supply chain security involves protecting against threats across the entire value stream. This means securing data, processes, systems, physical assets, personnel, and technology.

It also requires integrating security practices and technologies across the entire organization.

This includes ensuring that information sharing occurs among stakeholders, that employees understand their roles and responsibilities, and that policies and procedures are followed.

Security professionals should collaborate closely with executives, managers, and staff members to ensure that everyone understands the importance of security and has ownership over its implementation.

#3. Supply Chain Security Requires Ongoing Monitoring and Maintenance

Supply chain security requires ongoing monitoring and maintenance.

An effective approach is to continuously monitor the status of key indicators, assess risks, identify vulnerabilities, and implement countermeasures.

For example, an attacker could attempt to compromise sensitive data stored in databases, websites, mobile apps, and other locations.

To prevent these incidents, security teams should regularly review logs, audit reports, and other intelligence sources to detect suspicious activity.

They should also perform penetration tests, vulnerability scans, and other assessments to uncover potential weaknesses.

#4. Supply Chain Security Requires Collaboration Across Organizations

A single department cannot manage supply chain security within an organization.

Instead, it requires collaboration across departments and functional areas, including IT, finance, procurement, human resources, legal, marketing, sales, and others.

Each stakeholder must be responsible for maintaining security, understanding what constitutes acceptable behavior, and implementing appropriate controls.

Collaborating across organizational boundaries helps avoid silos of knowledge and expertise that can lead to gaps in security awareness and training.

#5. Supply Chain Security Is Critical to Organizational Success

Organizations that fail to protect their supply chains face significant financial penalties.

A recent study found that supply chain breaches cost United States businesses $6 trillion annually.

That’s equivalent to nearly 10% of the annual global GDP.

Supply chain attacks can result in lost revenues, damaged reputations, and increased costs.

Companies that invest in supply chain security can significantly improve operational efficiency, productivity, profitability, and brand image.

Bluetooth – Take a Look Around Your Life

What’s Interesting?

I wanted to take a moment to discuss Bluetooth (BT) scanning tools and how easy it is to find a plethora of BT devices around you at any moment. I’ve been watching some of the objects that have come up lately, which are pretty interesting.

Give it a shot for yourself, and remember to be respectful of the devices and their owners you find. Yes, there are often attack surfaces around to tamper with. Yes, some of the devices make it easy to track their owners (especially wearables). Don’t do those things, but do take a look around and be aware of just what all BT devices are in your home and business. The results might shock you.

What do you need to look around?

Here are two easy tools to help:

1) On your mobile phone, grab an app called nRF Connect (available for iOS and Android in their respective stores and on your laptop). It makes it trivial to see all of the named and unnamed devices near you, at the mall, in a crowd, etc.

2) Another option for your mobile devices, and in some cases, your laptop, is LightBlue. This is a simple to learn and use inventory and debugging tool for BT developers. Very useful for exploring as well.

Give it a shot. Take a look around. Again, be respectful of what you find, but it opens the door to a lot of exciting stuff in our environments that are nearly invisible in many cases to our naked eyes.

Use the CISA Known Exploited Vulnerabilities Catalogue to Improve Your Patching Program

Cyber criminals are finding and exploiting vulnerabilities in programs and equipment faster than ever. For an example, just this week the Cybersecurity and Infrastructure Security Agency (CISA) warned of two vulnerabilities with CVE ratings of 9.8 that are being actively exploited in the wild to attack unpatched versions of multiple product lines from VMware and of BIG-IP software from F5. According to an advisory published Wednesday, the vulnerabilities (tracked as CVE-2022-22960 and CVE-2022-22960) were reverse engineered by attackers, an exploit was developed, and unpatched devices were being attacked within 48 hours of the release. Currently, this kind of rapid exploitation is not at all unusual. This means that to keep in step, organizations not only must monitor all of their IT assets for vulnerabilities, they must patch them quickly and intelligently.

This is where the CISA Known Exploited Vulnerabilities Catalogue (also known as the “must patch list”) can be a real help. It is free to all, regularly updated, and can be accessed at What is nice about this tool is that it only includes vulnerabilities that are known to be currently exploited and dangerous. This helps you avoid wasting time and effort patching vulnerabilities that can wait. The catalogue also helps prevent organizations from concentrating too much on Microsoft systems. When you view the current catalogue, you will see exploited vulnerabilities in Apple, Cisco, VMWare, Big-IP, Fortinet, Chrome and IBM just to name a few.

As we have emphasized before, it is very important to track all of your IT assets. That is why maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. Once you have a process in place to ensure that your inventories are complete and regularly updated, why not leverage all of that work to inform your patching and security maintenance program? You can simply compare the must patch list with your IT asset inventories and see if any of the currently exploited vulnerabilities pertain to your systems. If they do, that gives you a quick guide on which systems should be immediately patched. Remember that in the current threat environment, speed is indeed of the essence!

How Do I Know If My Company Needs a Risk Management Policy?

Risk management policies protect companies against financial losses due to various risks. These risks include legal issues, employee misconduct, environmental hazards, etc.

A company may implement a risk management policy to minimize these risks. However, several questions should be asked before implementing such a policy.

What Are the Risks That Could Lead to Financial Losses?

Many types of risks can lead to financial losses. Some examples include:

• Legal issues

• Employee misconduct

• Environmental hazards

• Product liability

• Cybersecurity threats

• Data breaches

• Other

It is important to understand what type of risk your company faces. For example, if your company sells products online, you will face cyber security risks.

Are There Any Existing Policies?

Before deciding whether or not to adopt a risk management policy, it is important to determine whether any existing policies cover the risks your company faces.

For example, if your company has an insurance policy, then you may not need to implement a separate risk management policy.

However, if your company does not have an insurance policy, then it is necessary to consider implementing a risk management policy.

Is Implementing a New Policy Worth It?

Once you know what type of risks your company faces, it is time to decide whether or not to implement a risk management plan.

Some companies feel that they do not need a risk management plan because their current policies already address their risks. However, this decision should be made carefully.

If your company does not have a formal risk management policy, then it is possible that some of the risks your company faces could go unaddressed. This means that the risks could become more significant problems down the line.

In addition, if your company decides to implement a risk management program, it is crucial to ensure that the program covers all the risks your company faces, including those currently unaddressed.

Do Your Employees Understand What Is Being Done?

When implementing a risk management plan, it is vital to ensure employees understand what is being done.

This includes explaining why the risk management plan was implemented, how the plan works, and what steps must be taken to comply.

The goal here is to ensure that employees understand your company’s risks and how the risk management plan helps mitigate them.

Will the Plan Be Cost-Effective?

Finally, it is essential to evaluate whether or not the risk management plan will be cost-effective.

Cost-effectiveness refers to the amount of money saved compared to the costs incurred.

For example, suppose your company spends $1 million per year to insure its assets. In addition, suppose that the risk management plan saves $500,000 per year. Then, the risk management plan would be considered cost-effective if it saves $500,000 annually.

In this case, the risk management plan is cost-effective because it saves $500,00 annually.

However, if the risk management plan only saves $100,000 per year, then the plan is not cost-effective.

In Conclusion

As discussed above, there are many reasons to implement a risk management strategy.

These strategies can help your company avoid potential financial losses caused by certain risks.

In addition, implementing a risk management plan can make your company more efficient and productive.


How to Rotate Your SSH Keys

SSH keys are used to secure access to and authenticate authorized users to remote servers. They are stored locally on the client machine and are encrypted using public-key cryptography. These keys are used to encrypt communications between the client and server and provide secure remote access.

When you log into a remote machine, you must provide a valid private key to decrypt the traffic. As long as the private key remains secret, only you can access the server. However, if someone obtains your private key, they can impersonate you on the network.

SSH key rotation helps prevent this type of unauthorized access. It reduces the risk that someone has access to your private key, and helps prevent malicious users from being able to impersonate you on your network.

Most security policies and best practices call for rotating your key files on a periodic basis, ranging from yearly to quarterly, depending on the sensitivity of the data on the system. Such policies go a long way to ensuring the security of authentication credentials and the authentication process for sensitive machines.

There are two ways to rotate your keys: manually, and automatically.


To manually perform key rotation, you need to generate a new pair of keys. Each time you do this, you create a new key pair. You then upload the public key file to the server you wish to connect to. Once uploaded, the server uses the public key to verify that you are who you say you are.


An alternative approach is to use automatic key rotation. With automatic rotation, you don’t need to generate a new key pair each time you change your password. Instead, you simply update the permissions on your existing key file.

The following steps show how to configure automatic rotation.

1. Generate a new keypair

2. Upload the public key to the remote server

3. Configure the remote server to use the new keypair

4. Update the permissions on the old keypair file

5. Delete the old keypair

6. Logout from the remote server

More Information

On Linux systems, use the “man” command to learn more about the following:

    • ssh-keygen command
    • ssh-public-key command
    • upload-ssh-public-key command

The examples should provide options for command parameters and sample command output for your operating system.

For more information about the SSH protocol, you can review the Wikipedia article here.