90 Day Plan for New IT Security Managers

Posted on March 29, 2011 by apomeroy

You’ve just taken over as an information security director, manager, or architect at an organization. Either this is a new organization that has never had this role before or your predecessor has moved on for some reason. Now what? The following outlines steps that have been shown to be effective (also based on what’s been ineffective) getting traction and generating results within the first three months. Once some small successes are under your belt, you can grow the momentum to help the business grow faster or reduce the risk to their success (or both).

Now what do we do?

Apply a tried and true multi phase approach .. assess current state, determine desired target state, perform a gap analysis, implement improvements based on priority. Basically we need to establish current state, determine what future state should be, and use the gap analysis as the deliverables of the IT security program. There may be many trade-offs that are made due to limiters like political challenges, funding constraints and difficulty in changing corporate culture. The plan you build with the business gives you the ammunition needed to persuade all your stakeholders of the value in the changes you’ll be proposing.

1. Understand the Current Environment

For a manager or enterprise architect to determine where to start, a current state must be known. This is basically an inventory of what IT security controls, people and processes are in place. This inventory is used to determine what immediately known risks and gaps from relevant security control frameworks exist. The known risks and gaps gives us a starting point to understand where impacts on the business may originate from.

Take the opportunity to socialize foundational security concepts with your new business owners and solicit their input. What are the security related concerns they have? If there has been any articulation of Strengths, Weaknesses, Opportunities, and Threats (SWOT), obtaining that review can also give you an idea of weaknesses or threats that are indicative of missing controls. In the discussions with your new constituents, talk to the infrastructure managers and ask them what security related concerns keep them awake at night – there is likely some awareness but they don’t know how to move forward. Keep in mind most organizations will want a pragmatic approach versus an ivory tower perfect target state.

Some simple questions can quickly give you a picture of the state of security controls. For example, in organizations I’ve worked with, the network administrators could not provide me a complete “layer three” diagram – a diagram that shows all the network segments and how they hang together. It wasn’t that they didn’t want to, the diagrams simply didn’t exist. With over 1,500 network nodes over two data centers and two office complexes, the network group had the topology and configuration “in their heads”. Obvious weaknesses and threats include prevention of succession planning or disaster recovery, poor security transparency, and making nearly any change to the environment higher risk than necessary.

Continue reading →

Building a new PVR

Posted on February 23, 2011 by apomeroy

<Updated Aug 18, 2011 after a successful PVR rollout>

Technology has evolved since the last MythTV PVR I built, as chronicled here. Here’s the latest techniques and tech that I’ve used to (start) build(ing) my current PVR. I’ll update this article as I go, as there’s been some bumps along the way, so completion of the project has been slower than I anticipated.

Requirements for my new PVR include:

Linux operating system for cost and flexibility reasons
Quiet! Fan-less operation if at all possible, external power supply ok
Small form factor, black case to fit in with my current home theater gear
Video capture with MPEG-2 hardware acceleration to help keep the CPU needed as small as possible, in an expansion card format for the most compact physical footprint .. additionally there must be at least two independent tuners
Analog tuners, but would be good if they were capable of digital for when I eventually move to digital/HD
IR receiver and transmitter capability for easy remote control and ability of the PVR to use my current set-top box as a source (gives me all the cable company movies and channels that are not available via the basic cable connection
Ability to schedule at least 10 shows and retain 5 episodes of each show .. also ability to schedule based on show name alone
Ability to perform post-recording processing, such as removing commercials or changing formats
Should be able to use a pre-packaged distribution for most if not all of the functions .. I know it’s a home-brew, but I’m tired of messing with individual packages, firmware, and custom codes to make it work. Using a distribution package makes it easier to maintain through updates.
Want to purchase the parts from the same supplier if possible (ended up using newegg.ca)

Since I already run MythTV, it was an obvious starting point and given I don’t have an affinity to a specific Linux distribution, I looked at Mythbuntu and Mythdora since I’m familiar with and already run both Ubuntu and Fedora distributions.

After downloading the Mythbuntu 10.10 ISO disk image, I discovered I didn’t have my USB DVD drive, so I wanted to create a bootable USB flash disk. I followed the excellent instructions at https://help.ubuntu.com/community/Installation/FromUSBStick and successfully burned a bootable Mythbuntu disk on a 2GB USB flash disk via a Ubuntu VM running on my MacBook Pro.

Continue reading →

Merry Christmas and Happy Holidays .. fantastic diving

Posted on December 24, 2010 by apomeroy

Well, here’s a shout out to Mike Severns Diving in Maui .. (808) 879-6596. As usual, the crew including Warren, AJ, Michelle and last but certainly never least, skilled and fearless (or at least never speechless) captain Andy, managed to provide two superb days of diving in the Molokini crater in Maui. Even with poor visibility on the coast during my second day, the extra time in the crater was well worth it.

We scoped out the Molokini reef three times and also did the Tank to the Landing craft drift dive. Saw a number of firsts for me on Thursday, including a small octopus, frogfish, flounder and nudibranch.

Other finds included a sponge starfish, a wire coral and a spiny urchin.

Thanks very much for another great diving trip to Maui guys! The Severns crew including AJ, Michelle, Andy and Warren were as usual, spectacular dive masters – knew where to look for the interesting bits and were really down to earth. Their dive boat can take out up to 12 divers, so it’s a smaller group allowing more interaction with the crew, compared to the larger 20+ diver boats.

See you in another year!

Resetting user passwords in Mac OS X Leopard without Administrator

Posted on December 8, 2010 by apomeroy

For those odd times where you need to reset the password for a user on a Mac (OS X 10.5 Leopard) and you don’t have access to the / an administrator account, this is a procedure that will work if you have physical access to the system and can reboot it. No boot DVD is needed if you can boot the system off the internal hard disk.

We boot into single user mode off the internal hard disk, then reset the target user password.

Boot into single user mode (press Command-S at power on)
Check the root filesystem first
fsck -fy
Mount up the root filesystem
mount -uw /
Load system directory services
launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
Edit user information
dscl . -passwd /Users/username password (replace username with the targeted user and password with the new password)
Reboot then sign in with the new password.
reboot

MySQL Notes

Posted on November 19, 2010 by apomeroy

MySQL Command Line and Configuration Notes

Drop tables with wildcard:

There are multiple ways to specify MySQL credentials, this is not the best, but simply an example of how to drop tables using a wildcard pattern. In this case, command line history such as .bash_history will store your MySQL username and password plaintext, and an extended process listing will also reveal both username and password. When run from the command line like this, the SQL commands and the credentials are not stored in the MySQL history file (.mysql_history). On closed (private) systems, the risk is low, especially if you clean up after these maintenance activities by purging the command histories.

mysql -u user -p password database -e "show tables" | grep "table_pattern_to_drop_" | awk '{print "drop table " $1 ";"}' | mysql -u user -p password database

Movember is Prostate Cancer awareness Month

Posted on November 6, 2010 by apomeroy

No laughing matter, prostate cancer. The guys at AESO have joined together to form team Mo Lecious to raise money for prostate cancer research. Movember is moustache month .. each team member needs to grow a moustache to raise funds. No connection of side burns to the moustache .. that's a beard. No connection of both ends of the moustache .. that's a goatee. All else is fair game.

My Movember page here

In addition, I'm offering up a shiny new iPod Nano to the person who donates the single largest amount.

Please consider donating some money .. it's for a good cause.

Thanks,
AP

Update WordPress home URL

Posted on November 2, 2010 by apomeroy

There are times when moving or copying WordPress blogs from one server to another, the owner may want to update the URL associated with the specific site.

A simple MySQL update can match the WordPress blog to a new site URL:

mysql> select option_value from wp_options where option_name = 'siteurl';
+--------------------------------+ | option_value | +--------------------------------+ | http://www.example.com | +--------------------------------+ 1 row in set (0.00 sec)

mysql> select option_value from wp_options where option_name = 'home';
+--------------------------------+ | option_value | +--------------------------------+ | http://www.example.com | +--------------------------------+ 1 row in set (0.00 sec)

mysql> update wp_options set option_value='http://server.newsite.com' where option_name='siteurl';
Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0

mysql> update wp_options set option_value='http://server.newsite.com' where option_name='home';
Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0

Phishing attacks getting better .. iTunes Receipts

Posted on October 1, 2010 by apomeroy

So I get a call this morning from a family member who is freaking out over a six hundred dollar iTunes invoice. Fortunately I knew this person didn't have an iTunes account (they use mine), so I knew right away it was a fraud. On inspecting the invoice, there were so few errors it's chilling. If this had of been an invoice from the (Acme Widget Company) that I do have an account with .. it's possible it may have worked.

This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials

The quality of phishing emails have dramatically improved as the quality assurance by malware miscreants improves.

On closer inspection, there were three very subtle errors made on this iTunes phishing attack:

No street address was shown. iTunes receipts always have your street address listed and spamming dirt bags don't have that (we hope).
Receipts (that I've paid attention to) come with an American style date format .. month / day / year. Canadian or European formats are typically day / month / year or year / month / day. This one is day / month / year.
Modern corporate invoicing systems don't include leading zeros. Also the quantity and dollar amounts don't add up.

Every web hyper-link in this invoice except for the Apple Store Support and the Apple Legal links point to a non-Apple site. All the links in iTunes invoices point to Apple. In this case, the infected domain was medicineni.com . This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials. Bogus LinkedIn invites have also been confirmed to be coming from the Zeus botnet.

We still need to stay awake to the attacks by these malware miscreants, because they are getting better by the month.

Fun distraction .. corporate BS generator

Posted on August 28, 2010 by apomeroy

If you are stuck for what to put into your executive summary for that high profile project you’re trying to get approved, try out this site: The Corporate B.S. Generator. Some of the generated phrases are frighteningly close to the lingo we see every day!

Security tools

Posted on August 28, 2010 by apomeroy

This is a (non-comprehensive) list of the various security tools I have used. I started this list to keep track of tools that I've tried out and the level of satisfaction with them. Obviously there are hundreds of tools that any IT security professional uses throughout their career, so I'm just starting to put down the most recent, interesting or particularly effective. As I have time, I'll update and add comments/reviews/examples as well as break this into categories as the list grows.

Assessment / Attack Tools

Web Application Attack and Audit Framework (w3af) w3af.sourceforge.net

IBM Rational AppScan www-01.ibm.com/software/awdtools/appscan

Samurai Web Testing Framework samurai.inguardians.com

Visualization Tools

SecViz Security Visualization (davix) www.secviz.org/node/89

Password Tools

L0phtcrack www.l0phtcrack.com

Forensics

V3RITY Oracle Database Forensics (www.v3rity.com/v3rity.php) – "V3RITY is a tool that can be used in an Oracle forensics investigation of a suspected breach. It is the first of its kind and is currently in the beta stages of development."

Allen Pomeroy

IT Security and personal stuff

Author Archives: apomeroy