7 Security Podcasts You Should Be Listening To

Here’s a list of the 7 best security podcasts on network security and hacking.
Daily Podcasts
Internet Storm Center StormCasts

https://isc2.sans.org/podcastdetail.html?id=4265

Listen to a daily wrapup of events from the SANS Internet Storm Center.
Weekly Podcasts
Sophos Chet Chat

http://www.sophos.com/en-us/company/podcasts.aspx

Sophos brings you impressive antivirus software and other security products. Two expert Sophos engineers do a weekly podcast covering security news and other security topics.
Security Now

https://www.grc.com/securitynow.htm

Steve Gibson and Leo Laporte do a 2 hour podcast each week to discuss security news, recent vulnerabilities, long standing problems, best practices, and sometimes do deep dives into a specific technology.
Security Weekly

http://securityweekly.com/

Formerly PaulDotCom, listen/watch Paul give his weekly security podcast in which he discusses security news, research, hacker techniques, and technical how-tos.
Packet Pushers

http://packetpushers.net/category/podcast-post/weekly-show

Weekly security podcast covering news and events in the security realm.
Defensive Security Podcasts

https://www.defensivesecurity.org/category/podcast

A weekly discussion of security events in the news.
Monthly Podcasts
Cigital Silver Bullet

http://www.cigital.com/silver-bullet

This monthly podcast usually consists of an interview of a prominent security researcher or engineer.
Ex Podcasts

These don’t count on the list because they appear to be abandoned. They either don’t release a regular podcast or have just stopped releasing podcasts.
Cisco Security TAC Podcasts

http://www.cisco.com/c/en/us/solutions/enterprise-networks/security/security_tac_podcasts.html

Listen in as Cisco Security TAC engineers talk about the latest interesting cases they’ve seen, new Cisco products, interesting solutions to problems, and tips for securing the network.
Tenable Podcasts

http://www.tenable.com/podcast

From the makers of Nessus vulnerability scanner, these podcasts cover current events in network security and best practices for defending.

Helpful Websites for Webmasters

As a webmaster I find myself bookmarking a lot of sites that help me. Here’s a list of the most helpful ones. Each of the websites listed are free or offer a free service.

Domain Name Finders

Need to find a good name for your next website project? These sites will offer a lot of great options.

http://www.leandomainsearch.com

http://www.dotomator.com/web20.html

http://www.impossibility.org

http://www.bustaname.com

http://www.hipsterdomainfinder.com

SEO Tools

Some tools to help with SEO.

http://alexa.com

Alexa is a great way to track the popularity of a website. It has other interesting information too.

http://rankpay.com

I’ve tried their service before and they charge a lot more than you expect. However, they do offer a free lookup to see how many monthly searches a keyword has. This is useful for finding the right name for an article or website name.

http://woorank.com

This page will analyze your website and give recommendations based on what it found to improve SEO.

http://www.semrush.com/info/history/index.html

A cool tool to track and compare the popularity of competing websites.

http://siteliner.com

This tool will analyze all of the content of your website to see if you have duplicate content.

http://www.google.com/adwords

By going to tools > keyword planner you can do research on which keyword terms are higher traffic than others. This is helpful for deciding what the title of a page should be or the content of your site. This keyword planner is a free tool and does not require the purchase of any adwords.

Analytics Tools

Gain insight to the users that are visiting your page.

http://www.google.com/analytics

Google Analytics is a super easy and beautiful analytics tool. I’m not a fan of Google and wish I could find another free alternative to website analytics but their tool is the best I’ve used.

https://www.google.com/webmasters

Google Webmaster tools will show you a view into what search terms people are using on Google to access your website.

http://piwik.org

If you want to bring your analytics internally piwik is probably the best choice to use.

Free Images

http://www.flaticon.com

This site has a huge database of free vector graphics and icons.

http://fontawesome.io

Fontawesome combines with Bootstrap in a way that extends the basic Bootstrap icons into many more.

https://www.iconfinder.com

This site has both free and paid vector images and icons.

http://www.smashingmagazine.com/tag/freebies

Smashing Magazine often releases freebie icon packs. This is a large trove of vector graphics and icons that are free.

Command Reference

http://devdocs.io

Previously called dochub.io and before that instacss. Devdocs is a easy to use cheat sheet for looking up html, css, javascript, and many other web programming language commands.

http://www.w3schools.com/sql/sql_quickref.asp

W3Schools is a great place to look up commands for web programming languages. The link will take you directly to the SQL quick reference guide which is what I use the site mostly for.

Misc Tools

http://trello.com

A fantastic note keeping tool. I use it to track bugs, write ideas down, and create to do lists for websites I’m working on. It works great with multiple users at once and has a nice API that you can use to bring specific lists onto your own website.

Best Practices for Data Loss Prevention

https://siliconintelligence.wordpress.com/2015/02/13/best-practices-for-data-loss-prevention/

Data loss prevention is a policy based capability to prevent data leak. This is a highly effective solution for the whole enterprise but encompassing every possible implementation is a multi-year multi-million dollar multi-team effort.

The best way to approach an implementation is to have an enterprise level view of how data moves or to be more specific how sensitive data moves around and in/out of the enterprise. This comes from a well-executed analysis and a business case.

Data loss prevention works primarily on a proactive approach to deal with zillions of gigabytes of data which gets lost or stolen or misplaced while at rest or transit. Many vendors have different offerings and it’s not easy to choose the one that fits your enterprise. The reason being the various types of data living in an enterprise is numerous as well as one size doesn’t fit all.

Points to consider when choosing a DLP solution are,

• Choose a vendor with strong multi industry experience as their best practices and support will be very handy.
• Choose a product which is easy for implementation and LATER operational team can run it efficiently. Reason being some products lack clarity, slack management console and drab dashboards. Few DLP solutions have nasty interfaces and they will slow down your productivity.
• Should have good content inspection and high throughput because you don’t want a choke-point in every data path.
• Stand alone or centralized configuration as both has pros and cons.
• If your CSO is keen to have an overall view, then choose a product which can integrate with Anti-malware, web/mail services, Identity management and SIEM. This combination is a crucial solution to discover serious strengths and weaknesses in your network.
• Ability to have advanced logging and auditing capability and in depth report generation which is very handy for managers.
• Software/virtual solution or a dedicated appliance as performance and cost varies.
• Last but not the least, money as this shouldn’t hold you up in achieving your scope for the enterprise. No one wants solutions re-scoped because it’s costing more than the initial estimate. I have come across major enterprise projects which have been restricted to one customer site or few applications or some user groups because funding was tight.

The success of a DLP solution relies on how well your documentation is and training of your support teams. As I always believe start small i.e just start monitoring, later add one or two features to your solution, then again train support teams, add more features, log more, train support teams and loop.

Simple Strategies for Network Security Excellence

https://siliconintelligence.wordpress.com/2014/09/30/simple-strategies-for-network-security-excellence/

Excellence, a tough term to measure! Because in today’s IT spectrum no company or enterprise can say they have excelled in their IT including innovation or design or operations or ROI or even day-to-day activities. Only a handful can claim it but at various costs.

The myriad elements of an enterprise’s technology have made it difficult to measure overall IT excellence. But network security in IT is very unique. The reason being network security doesn’t have to excel but just do its duty to get a pat on its back. At any given point every component of network security is working its best to get that name.

At an enterprise level, few companies have really UP’d their game to really excel in Network Security. Being a consultant and an architect I have realised a few tactical strategies can change an enterprise’s posture to stand apart from the commoners.

The following are some were I have implemented and experienced network security excellence.

1. Diversify network security and consolidate outcomes

For example let a firewall be a firewall and stop having IPS, Anti-X, web/email filtering and etc all rolled into one. Reason being end of the day humans design, implement, administer and manage a system, I have never seen anyone being a king of all and perfectly configure a complete single point solution.

2. Single source of truth

All devices, hosts, equipments, racks, components, softwares, hardwares, middlewares, tokens, certificates and everything in between that touches network security should be in CMDB. Everything needs to have an identifier, version and DOB to draw a complete picture.

3. Map the whole network

Ridiculous you may say, but it’s possible! Ten years ago would anyone have thought it is possible to map every road in every country? So yeah this is possible as well, it helps in figuring out vulnerable points, choke points, loops, limitations, checkpoints, and many more.

4. LOG everything

I know how many companies see this has a waste in space, power and storage. But the right logger and report generator can do wonders. A graph for usage, events, bandwidth, retries, drops, successful and failed attempts, overflows, chokes, capacity, usage and many more reports can identify whatever you want to see.

5. Design any solution with security in mind

Whether it’s an internet facing router or a simple desktop printer or a static web page or internet connected fridge or anything for that matter make sure there is security component involved in it. Because you will never know who where how when something will get compromised.

All these points might sound common and as a standard formula but when implemented in conjunction with a true outstanding team the outcomes will be so rewarding.

Cloud Computing Security Considerations

https://siliconintelligence.wordpress.com/2014/08/26/cloud-computing-security-considerations/

Today the buzz word is Cloud; we hear everything is moving to the cloud most of the time. But how safe is our data in the cloud? There is no definitive answer to this. The reason being nothing is safe when it’s not in our possession.

There are many factors to consider when choosing a cloud provider and one of the main factors is security. Many of the major players haven’t adopted public cloud still because of data breaches and data loss in Cloud is very difficult to monitor and audit.

Last year, I did a Proof of Concept for a major educational institution which was inclining to move to a public cloud. The feasibility study’s main intention was to understand the pros and cons of moving the student database to a cloud provider. When I started gathering the information for this project first thing that stuck me was how do we trust the provider? Where are they storing the data? Who are we sharing the platform and infrastructure with? And so on…

So here are some points to consider when choosing a cloud vendor (from kind of security perspective)

• How much do we know about the cloud provider as in their reputation, company policies, etc
• What is their business continuity plan and disaster recovery plan
• What are we moving to the cloud and what is the security classification of our data
• What is the security classification of our data in their model
• What type of secure connectivity does the cloud provider provide
• If their backup is adequate enough and meets our needs
• If their SLA for availability meets our data availability requirements
• Does the provider’s outage policies affect my business internally and externally
• How about data loss and corruption prevention policies
• What level of storage sanitization is done after my data’s end of life
• Who do we share the same infrastructure and platform with?
• What are the security certifications the provider has and what are relevant to me
• Who do they share their company data and reports with?
• Are the applications safe enough and have leakage protection
• What type of encryption they use and where all are they implemented
• The hardware and software the provider uses is trustworthy and certified at international standards
• What are the auditing standards the provider has and can we audit using 3rdparty firms
• Where are their NOCs and SOCs located and how quickly can we reach each other
• Our data is encrypted and cannot be decrypted by the provider
• What are my legal requirements and can they be matched to the provider’s offering
• What level of access do my users have to the data and how are they restricted
• Who are their subcontractors and are they certified as well
• And more…

This is not a comprehensive list but this should help any company considering moving to cloud to understand their requirements in choosing a cloud vendor! The quickest way to cloud is none and any company should consider the providers in their city or state first. This will help in many factors including location access, legal requirements and visit to the cloud easy.

Selling IT Security to CxO

https://siliconintelligence.wordpress.com/2014/01/04/selling-it-security-to-cxo/

One unanswerable question I get asked is how much money we will be making investing in enterprise security. The real answer is “Nothing”, technically spending on security is one of those streams which you can’t map to profit but definitely be mapped to preventing losses and a bad name. The money being spent is real but the results are abstract.

The best approach I have come across selling security to big guns is by the worst case scenario examples and real life incidents in similar and non-similar industries. For example if you are dealing with Telco executives, a perfect example would be say what happens if signalling infrastructure is compromised or a border router vulnerability is exposed. This would lead to all hell breaking lose.

Similarly if dealing with health executives, what if health records are stolen or data lost because DLP was never implemented or patient information was over written. If you look at it all these apply to every industry but with varying levels of importance.

They can be hypothetical but when combined with a strong business case, gap analysis, real-life scenarios and log analysis as well as historical evidence every stakeholder will eventually agree that spending on security is required.

If your stakeholders are savvy and quick to understand the benefits then your job is done, but as I have seen in many enterprises and SMBs, the chances of an early YES has happened only 10-15% of the instances.

To strengthen your argument, add values to every scenario. This could be time lost or money lost or device failure or incidents or compliance and audit issues. Because every angle counts and if you need more pillars to hold up your case, add the following in your report.

1. Losing goodwill because company/product name gets tarnished.
2. Losing productivity
3. Customer complaints
4. Loss of intellectual property
5. Losing partnerships
6. Loss of customer data
7. Defence and Lawsuit settlements
8. Compliance issues
9. Time to fix
10. And last but not the least “we are responsible, so need to be diligent”

In this era, selling security doesn’t have to be monetary based or a sales pitch. Commitment to security can be achieved using a tailored, consultative, growth spurring, win-win approach.

All you need is the right attitude.

Enterprise Firewall Architecture – Points to ponder!

https://siliconintelligence.wordpress.com/2014/08/15/enterprise-firewall-architecture-points-to-ponder/

One of the challenges security professionals face today is an all-rounder firewall which can perform most of the tasks to prevent an attack at the same time have loads of features and also ease of use. The issue is some firewalls provide many features with high costs and some provide different set of features with mid-level costs and few provide best of both worlds.

The question I have been asked many times by my clients is “which one is the best”. It’s very similar to asking which car is the best or which top 5 cities is best to live. Through years of experience (both good and bad) I have come to the conclusion there is none. The reason being there is no king of all and defense in depth with multi-vendor firewalls should meet 95% of the requirements.

Today enterprises face numerous attacks with varying levels of complexity and multi layered attacks from both ingress. One way to choose the right firewall solution is to consider what you are trying to protect which directly tell us the features we need and the right platform.

1. Stateful inspection (I do not think this should be ever be mentioned as a feature anymore)
2. Scalability (Checkpoint, Cisco, Juniper)
3. Protocol Security (Checkpoint, F5)
4. DDoS Attack Prevention (Almost all major vendors)
5. Complete DLP (None)
6. SSL termination (Mainly F5 and few top ones)
7. Content Security (Checkpoint, F5)
8. IPS Integration (Palo Alto, Checkpoint , Cisco)
9. Performance (Checkpoint, Cisco, F5, Juniper, Palo Alto)
10. Management (Checkpoint I believe will be the winner)
11. Ease of Deployment (Checkpoint, Cisco, F5, Juniper, Palo Alto)
12. Time to release patches (Checkpoint, Cisco, F5, Fortinet)
13. Global Presence (Checkpoint, Cisco, F5, Juniper, Palo Alto)
14. Sales Channel (Checkpoint, Cisco, F5, Juniper, McAfee)
15. Global Intelligence (McAfee, Cisco)
16. Support (Checkpoint, Cisco, F5, Juniper, McAfee)
17. R&D (Cisco, Checkpoint, Fortinet, F5, McAfee)
18. UTM (Checkpoint, SonicWALL, Fortinet, Sophos)
19. Price (SonicWALL, Fortinet, Juniper, McAfee, Sophos)
20. 3rd Party Integration (Checkpoint)

Choosing an enterprise firewall is not an easy task so the architects should consider all these options and many more like throughput, clustering, virtualization, proprietary software and identity management as well. From the above list one of the major vendors might seem to be stand out from the rest but the cost and ongoing maintenance and non-uniform pricing is a killer.

Every enterprise is different and varies in their approach to security. An aggressive nature at the perimeter is crucial when it comes to protecting customer data as well as proprietary data. So my 2 cents is to have multi-vendor devices with defense in depth configuration and introduce DLP in every asset an enterprise holds data.

Data Centre Security

Data Centre Security – Part 1

https://siliconintelligence.wordpress.com/2013/07/10/data-centre-security-part-2/

When I worked on a data center security program for a major vendor, two things came into perspective. One was how much is not too much and the other was can we continue making changes without affecting the sales.

This program was the result of Australian government’s regulatory requirements and had a strict deadline to meet and those requirements if unmet had penalties in place. With enormous pressure coming from the CxO’s who have immense interest in the outcome we a team of 6 from security and governance/compliance jumped into a review program with an open mind.

In the first few weeks, an interesting fact identified was there were no high level data center “specific” security policy as part of the enterprise and to make things worse there were 10+ contractors working on an ad hoc basis who deal with hardware, delivery, installation, cabling, racks, power heating and cooling along with the facilities management being outsourced to an interstate company.

One might expect this to happen in early 90’s and must be some small or medium business, but this was as real as it got in 2011 for a major software vendor. The previous audits never brought up any issues since no incidents identified and also BAU and projects were running on schedule with no incidents.

My first reaction was how will we propose changes without affecting the natural work flow which had brought income for years. Seeing the current risk as an opportunity to improve the security posture as well as a means to improve sales by setting standards I took this as a challenge. With what I had learnt in my experience and implementing TOGAF, the key is to involve every important superuser/employee/contractor to see what you see and feel. This might sound very dramatic but it does help in bringing all the stakeholders and contractors to the same page as yours.

Strongly believing in policies being set, my first report as a consulting architect was to have a workshop involving stakeholders and contractors. I briefed both parties individually and set the expectations straight as in no one is at fault but as a team this regulatory requirement can be met. This is very important because everyone is responsible individually as well as a group to make it right.

I proposed the following changes,

• Corporate security policy to include data centre
• Asset classification, control and management as part of the 2nd level policy
• Extending organizational security to include data centre policies
• Disaster recovery with emphasis on Business continuity as part of the data centre policies
• GRC policies to align to government requirements which should include data centres
• Operational security to include Apps and Data based in Data centre
• Data center physical and environmental security policy

This being done, side by side we convinced the CSO to see the benefits and fund our program. With great difficulty the project was successful and by 2013 the primary data centre was fully compliant and was considered one of the well managed programs of the enterprise.

Data Centre Security – Part 2

How was it done.

The first step after approval of our findings was to work with the PMO to sort of slow down the current projects affecting the requirements and also have the enterprise architecture to kick-start the ADM process to include the data center policies and procedures at an high level. With this done our team started setting workshops with facilities management and data center contractors to update their policies and work flow to reflect the new policies the company has set in place.

One of the major stakeholders was the enterprise security team which had very loose ends in data center program. It was never an issue because the outsourcing model never held 3rd party responsible for the noncompliance as every state had their own way of interpreting state rules and laws.

Since this vendor had base in 4 different states it was difficult to maintain policies pertaining to single GRC policy and each reported compliance in their own terms. But setting aside all these this security program consolidated data and physical security to where the headquarters was and also delineated policy to be held at the head office.

What is important at this stage is to understand that when it comes to setting a policy at an enterprise level, no matter what smaller level policies exists it is important to apply the set theory concept which benefits all the stakeholders and at the same time complies with the law.

Points to take are,

• Enterprise architecture needs to be updated
• National/Federal law supersedes state laws and requirements
• All stakeholders at the enterprise level are important whether they fund the program or not
• PMO office is as important as the program itself
• Security is a key component of the whole enterprise
• Stakeholder commitment at all stages
• Security publications needs to be up to date within the company which applies to employees and contractors

Configuring NTP at Windows 2008 R2

How To Clear NTP Configuration

The next thing to do is to clear up any previous attempts to configure NTP using these commands on your soon-to-be Windows 2008 R2 NTP server:

net stop w32time
w32tm /unregister
w32tm /register

Once your NTP configuration has been cleared up, you can then configure your Windows 2008 R2 server to be an NTP server.

Configuring Windows 2008 R2 as an NTP Server

You’re probably going to want to configure your domain controller to be the NTP server. Why? Because Kerberos requires authenticating clients to have the same time as the authenticating domain controller, so it makes sense to have the domain controller as the NTP server so it is in control over what the correct time is. To configure Windows 2008 R2 as an NTP server, run these commands:

w32tm /config /manualpeerlist:pool.ntp.org,0×8 /syncfromflags:MANUAL
net stop w32time
net start w32time

The first command configures the server as an NTP client to pool.ntp.org, sending the request in client mode. If you don’t want to connect as client mode, here are the alternative settings:

0×01 – use special poll interval SpecialInterval
0×02 – UseAsFallbackOnly
0×04 – send request as SymmetricActive mode
0×08 – send request as Client mode

I usually like to set any redundant domain controllers up in the same way, but pointing to the primary domain controller as the NTP server instead of pool.ntp.org.

pool.ntp.org is a round-robin group of NTP servers, but if you want to set your own pool up you can do this either in DNS or preferably by putting the manualpeerlist in quotes and seperating muliple NTP server addresses with a space like this:

w32tm /config /manualpeerlist:”ntp1 ntp2″,0×8 /syncfromflags:MANUAL

Finally, ensure that NTP protocol is allowed on your firewall. NTP uses port 123.

Troubleshooting NTP

You can confirm that NTP is working correctly by performing a manual sync with this command:

w32tm /resync

or determine the time of the last sync with this command:

w32tm /query /status

Finally, if you are still having trouble with NTP, you can enable debug logs with this command:

w32tm /debug /enable /file:C:\w32tmdebug.log /size:10485760 /entries:0-300

But don’t forget to disable logging when you’ve finished troubleshooting NTP. You can disable NTP logging with this command:

w32tm /debug /disable

Finally, if it’s still not working, you can start again and clear the NTP configuration with this command:

net stop w32time
w32tm /unregister
w32tm /register