Tuesday, August 25, 2015

DDOS Arbor Style

NOTE: I have zero financial relationship with Arbor, don't even hold their stock. However, I have seen them in the field for 20 years, they must be doing something right. DDoS is becoming a significant issue and it is a thorny problem. Worse, it takes money and outside resources to deal with it. Worse again, if you ignore it and they come down on your organization so that customers cannot interact with you, your organization may be seriously damaged in terms of revenue and customer relationship; and that is sugar coating it. So, it is time to go to school to get your arms around the problem. I found this easy to watch set of videos. As you watch them, think about how to take the key points and share them with management at your organization.

History of DDoS. How did we get in such a mess?

One size does not fit all with DDoS, what are the basic forms and their implications?

DDoS has been around for at least 30 years, how could it possibly be an advanced attack?

Can you give me an example of a potential solution that does not require solely counting on a cloud provider?

Monday, August 24, 2015

Draft Course Layout - SANS Boston 2016 - Feedback requested

This is subject to change, but this is what the program committee is leaning towards for the courses. I am still trying to channel the evening program. Please tell me what you think.

We are getting close to a solid course line up for Boston 2016 August 1 - 7 at the Omni Parker House. We are a bit conflicted about SEC 575. We have limited qualified instructors and the course is popular, but it is early still. There is still time to make a substitution for 575 as needed. If you think there is a course that would be a better fit for the needs of the New England area please leave me a comment and I will try to get back with you.

Day course matrix

Evening program

Don't miss the Tea Party, no not politics, tea.

We have 3 rooms that can seat over 200 if they are set theater style. Obviously many of the SANS faculty have their own keynotes and evening talks, but I would like to find some local cybersecurity thought leaders that are "outside of the SANS family".

Saturday, August 22, 2015

White Paper: Using Network Based Security Systems to Search for STIX and TAXII Based Indicators of Compromise

 This paper does a pretty good of highlighting tools to detect that an organization has been breached and hopefully that will be caught very early in the process.

First we meet Mandiant led, Common Indicators of Compromise, (IOCs). Not rocket science, but really helpful:  hashes  of  known malicious  files,  IP  addresses  or  DNS  names, and much more. The next piece of the puzzle are Uber competitors, STIX and TAXII. Well actually, they are an NIST standard that looks like they will stick. Mostly you read some high level mumbo jumbo about them, but this is your chance for a deep dive, or at least a 3 atm free dive. These are real, concrete examples.

If you are a senior cybersecurity manager, you eyes will glaze over when you get to the good stuff. But before you close the paper, scan down, find an example or two you are comfortable with. Copy them off and keep them in a folder. When you are part of a job interview for a senior security engineer position, the kind of person that commands a $140k salary, bring out the folder and ask them to tell you about it.

I encourage you, your employer encourages you, to at least speed read the paper which is available here.

Wednesday, August 5, 2015

David Longnecker's post on reducing the risk of StageFright

The content below was written by David Longnecker, who graciously gave me permission to post:

Zimperium just released details and POC code for the StageFright


I've put together a quick how-to for "friends and family" to disable
auto-retrieve of multimedia messages in the native Android Messages app,
and in Google Hangouts, here:


It doesn't cover every scenario, but it at least protects against the 100%
unaided attack.

David Longenecker

Connect: Blog <http://securityforrealpeople.com> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
PGP key: https://keybase.io/dnlongen