Wednesday, December 6, 2017

Definition of an integrated NOC and SOC

NOTE: 99.99999 % of the credit for this post is the work of Nelson Hernandez, I am just trying to add enough whitespace to generate discussion for his SANS.EDU research project.
NOC: Network Operations Center
SOC: Security Operations Center

Integrating a NOC/SOC is convergence/integration at the:

- Organizational level, (i.e. common first level response) - triage, collaborate, cross correlate and potentially identify common patterns from NOC/SOC respective tools.

- System level: integrated ticketing and workflow - service level agreements, standard operating procedures, integrating processes and structures in place to allow operators to communicate and coordinate seamlessly

- Asset level. (shared sensors and event criticality information) - utilizing a common information aggregator that collects all the data required and then distributes it using integrated tools/dashboards. 

The integration should allow collaboration on:
- Event Management
- Security Management (antivirus, intrusion detection/prevention systems)
- Endpoint Management  
- Network Management (firewalls, router, switches, servers)
- Fault Management 
- Configuration Management 
- Performance Management. 
- Accounting (Administration and Identity Access Management systems) 

Complex issues are investigated by Level 2-3 SOC/NOC specialists to diagnose and pinpoint the nature of the infrastructure incidents more accurately. The integrated staff cross trains to expand their range of skills, adjust their mindsets and tap each other’s skillsets and experiences to identify, manage and resolve incidents effectively. 

Wednesday, November 29, 2017

Coaching to Improve Performance


According to Wikipedia, A coach is a person who enables clients to master specific skills, knowledges and develop abilities. Like counselors and mentor, coaches offer prescriptive advice, error analysis, expert opinions and "how to" guidance. Coaching is one of the keys to business execution. If an otherwise skilled employee is struggling with a particular skill or ability, coaching can help them get over the hump. Y Coach says, There are seven primary benefits a coach passes on to the client.
  • Encourage Life Long Learning and that is Healthy!
  • Promote Self Esteem
  • Learn Goal Setting
  • Encourage and Model Teamwork
  • Develop Time Management Skills
  • Learn About Dealing with Adversity
  • Have Fun with the Task at Hand

Encourage Life Long Learning and that is Healthy!

Many people get comfortable with their abilities and cease to learn, or more commonly do all of their learning down one narrow subject area, i.e. willing to learn more about selling, but don't learn organizational skills. A coach can encourage and also help them get started to build new frames of references for learning in new areas. Success can lead to a greater willingness to continue life long learning. Consider this example from a life long learning blog about reading: Consider reading a book from your area of business. There are many great books related to your industry. Test drive one of them. Next, consider a web page on creative thinking or Kaizen.

Promote Self Esteem

A coach gives the client an opportunity to associate with positive, supportive people. When you are surrounded by negative people who constantly put you and your ideas down, your self-esteem is lowered. On the other hand, when you are accepted and encouraged, you feel better about yourself in the best possible environment to raise your self-esteem.

Learn Goal Setting

The majority of people seem to drift through life. A coach encourages a client to set goals and determine the steps to achieve those goals. A great coach goes beyond helping establish business or sports goals and also encourages life goals or major objectives. The goal setting guide points out that major goals can be specific or broad in scope, but they must always lead directly towards the Objective they support. They must also always have a deadline. A date you plan to accomplish the major goal by, a realistic date that not only motivates you into action but also ensures progress towards your Objective.
Here are some of our favorite tips for setting goals from mindtools:
  • State each goal as a positive statement: Express your goals positively - 'Execute this technique well' is a much better goal than 'Don't make this stupid mistake'
  • Set a precise goal, putting in dates, times and amounts so that you can measure achievement. If you do this, you will know exactly when you have achieved the goal, and can take complete satisfaction from having achieved it.
  • Set priorities: When you have several goals, give each a priority. This helps you to avoid feeling overwhelmed by too many goals, and helps to direct your attention to the most important ones.
  • Write goals down: this crystallizes them and gives them more force.

Encourage and Model Teamwork

"Teamwork is the ability to work together toward a common vision. The ability to direct individual accomplishments toward organizational objectives. It is the fuel that allows common people to attain uncommon results." -Andrew Carnegie
A coach knows the importance of teamwork and models the behavior of teamwork and takes advantage of opportunities to get people to work together. A big part of this is getting people to work on plans together. One of the most important job satisfiers for people is that their opinion is considered important. If you can get the clients to plan together, you can get them to execute the plan together. A coach is a leader and knows that teamwork is only possible if the culture supports it; sometimes organizations have a competitive atmosphere and it is one employee against the other.

Teamwork starts at the top, or cannot be sustainable. Indicators of a teamwork culture include, clear expectations from management that teamwork is expected, leading by example and management being team members themselves. Teamwork has to be rewarded and mentioned multiple times per year, we have to keep the vision before the people.

Develop Time Management Skills

A good coach knows what the time wasters are and tries to focus the client on the shortcuts, the organizational skills to do the job. One industry that teaches this very well is food service. Great chefs teach their clients to do it right and know the speed will come later. This is one area where a coach may use negative coaching (Don't do that, that is the wrong way. No, listen and try to get it this time), because if the client gets comfortable with the time wasters they may never be able to increase their performance. A good coach helps the client rank activities using something like the MSC method to sort tasks into urgent and important:
  • Must Do - Urgent tasks
  • Should Do - Can be Urgent or Important
  • Could Do - Can be Important if they lead to your ability to leave a legacy

Learn About Dealing with Adversity

Stuff happens! The question is what we do when it happens. Adversity builds character. The challenges we face teach us resourcefulness, self-reliance, courage, patience, perseverance, and self-discipline; and, struggles makes us heroic, for heroes and heroines are made by scaling mountains, not molehills. A coach knows that the client can only improve if they face adversity and therefore coaches are thankful for adversity and considers them opportunities for growth. We found this on the web, it seems like a nice way to view adversity: The PPPP program. First, don't PANIC, for all it does is immobilize you. To escape the clutches of fear, PLAN. That is, ask yourself what steps can be taken to improve the situation. Next, break down those steps into smaller tasks that are easier to carry out. Set a completion date for each task. Finally, work your plan by carrying out the action steps. As you do so, you will start making PROGESS. Keep building on your progress until you reach the level of PROSPERITY you desire.

Have Fun with the Task at Hand

Stuff happens, but there are rich moments too. A coach knows how to savor the moment, as the Wide World of Sports put it, the thrill of success and the agony of defeat. If the client has been cast into their role properly, they should be having a great time. A coach reinforces this (Isn't this great?, Life is good indeed, it doesn't get better than this).

Summary

A Better Perspective's survey of human resource and personnel specialists reported the top three main benefits of coaching to the organization as:
  • Allows fuller use of individual's talents/potential 79%
  • Demonstrates commitment to individuals and their development 69%
  • Higher organizational performance/productivity 69%
Coaching helps employees trying to master a particular skill or ability get over the hump. Coaching is an important leadership skill. In our leadership course, we ask students to think about a coach that they still remember and to reflect on at least one of their coaching techniques. This would be a good exercise for you to go through right now to remember a coach that made an impact in your life. As a coach, you help your clients master specific skills, knowledges and develop abilities. To do this, you balance positive and negative reinforcement, offer prescriptive advice, error analysis, expert opinions and "how to" guidance.

Summary:
A coach is a person who enables clients to master specific skills and knowledge and to develop abilities. Like counselors and mentor, coaches offer prescriptive advice, error analysis, expert opinions and "how to" guidance. Coaching is one of the keys to business execution. If an otherwise skilled employee is struggling with a particular skill or ability, coaching can help them get over the hump. There are seven primary benefits a coach passes on to the client: Encourage Life Long Learning and that is Healthy!; Promote Self Esteem; Learn Goal Setting; Encourage and Model Teamwork; Develop Time Management Skills; Learn About Dealing with Adversity; and, Have Fun with the Task at Hand.

Updated: 11/29/17

Tips for Success: Writing a graduate level essay

Executive summary: Essays and other short writing pieces at the graduate level are expected to be concise, insightful and correctly written. Their purpose is to persuade, explain, or inform.

Tips for success:

1) Have a message to share. This seems obvious, but in a world of word processors, grammar checkers, and search engines it is possible to produce a document that looks good, but doesn't actually communicate useful information. The successful writer knows what he is going to say before starting to write. If you are struggling with step one, try this:
A) Walk around the block, talk to yourself in the shower, do whatever works for you to verbalize and focus on your message. State your thesis and the reasons why you think it is true. B) Use a voice recorder, (most cell phones have this ability). Record your thesis and primary supporting arguments. Let it sit for 24 hours. C) Listen to your recording. If your message still makes sense, build your outline.
2) Support your assertions. Invest the time to do research, (hint, if you type a short phrase into Google and build your paper from the first page of results, that doesn't count as research).
A) Look for "whitespace," (the term used to refer to blank areas on printed documents, can also be used to describe topic areas that have not been exhaustively covered by other authors and researchers). The goal of your research is to cover the topic from a new angle or perspective.
B) Note counterarguments. You may find information that contradicts your assertions. The best writers know there are counterarguments and acknowledge them.

3) Remember the reader. People rarely have to read what you write. Back in the era of printed books, every author knew that if they couldn't get the reader to turn from page 1 to page 2, the book was lost. With online publications, the abstract and introduction have to "sell" the paper, if not, page abandonment is just one click away.
A) Make sure you convey the value of the paper to the reader early in the process.
B) Make it easy for the reader, everything from the font, formatting to word choice should be chosen with the reader in mind. Correct grammar and spelling are a must in this respect.
C) Be ruthless with word count. If a word, sentence, or paragraph is not directly related to the central point, replace it with one that is.

Monday, November 27, 2017

Tips for Success: Powerpoint summary presentation of a research paper

Executive Summary: the most common medium to summarize research papers has changed, but the underlying concepts and goals remain the same.

Introduction: before the PC and PowerPoint, when you completed your research paper it was very common to create a poster summarizing your paper. Many young scientists and engineers remember what it is like to be one of twenty posters in a large hall at technical conferences. You would stand next to your poster and recite the elevator pitch summarizing your research and paper to other scientists that walked by with glasses of wine and plates of hors d'oeuvres.

PowerPoint: today instead of a poster, most researchers use PowerPoint and give a short presentation. The goals have not changed, they are:
- To inspire colleagues to read your paper
- To build name recognition for yourself and your work
- To share your passion for a problem, issue, and/or potential solution

Presentations regardless of medium: the same guidelines apply whether the medium is poster, PowerPoint, or increasingly, short video presentation:
- Match your presentation to your audience's knowledge level. If they are working in the field, do not waste their time with the basics.
- Focus your message, what are the three golden nuggets you want them to "take away?"
- Convey your message visually. Avoid tiny print, very busy slides, charts that do not actually inform, and be aware of red/green colorblindness with both the slides and laser pointer.
- Distance, be aware of the distance between your screen and the audience. This applies to live presentations and presentations viewed over the Internet. In a large room, people sitting in the back row may lose out, but people in the middle of the room should be able to understand.
- Remember some of your audience may be non-native English speakers or of a different culture, be careful with jargon, jokes and idioms.
- Be professional, avoid "cutesy slides", be consistent with fonts and font sizes.
- Be organized, tell them what you are going to tell them, tell them, tell them that you told them.

1.1 Added fonts and font sizes thank you S. Ramsey

Thursday, November 16, 2017

Tips for success: The Research Proposal

There is a “chicken and egg” problem associated with almost all research proposals. Before submitting the proposal, the student is expected to:

1) Come up with an idea of something they would like to research.

2) Conduct first level research, (also known as Google, and perhaps other, searches), looking for information related to the topic. When you fill out the research proposal this is the information that is referred to as:

Review Existing Literature.
- As you learn more, by reviewing literature, it should be possible to refine your topic idea.
-You may also discover that your initial topic has been heavily covered by material that has already been published.
-If the topic has been researched and the results published, then there may be a more focused approach to the general topic area that is not already researched and published.

Please go through this process before filling out and submitting the research proposal. With that in mind here are some tips for the remainder of the research proposal:

Discuss the literature. The template states between 2 - 5 pages. There is a danger in being wordy, your thoughts and intents may be lost. Make your first effort to explain your research topic idea in the context of existing literature in 2 pages. If you need more that is fine, but, in general, do not feel like you need 5 pages.

Identify the research question. This is where the faculty research committee that evaluates your proposal will turn first. What is the problem you are trying to solve? If you are having a hard time putting that into a paragraph, that could be a bad sign. The research question should be obvious to you and to others.

Research methods. If you have a topic and question and there is no way to conduct original research to prove or disprove a thesis, this is not a workable proposal. We understand that some of this has to be figured out as we go along, that is what research is all  about. However, it is imperative that you have a way to start. Hope is not a strategy, have a plan on how to prove or disprove your thesis.

Significance of the study. We are talking about a lot of work, let’s all agree this is worth doing before we dive in.

Proposed title. This comes last for a reason. At this point you have given this a lot of thought. They tell writers that your title is your contract with your audience. Try to avoid cute titles, you would be amazed at some of the title proposals that are submitted to the committee. Instead try to summarize the point, the thesis, in a single title. If you absolutely need a subtitle the world will not come to an end, but precise and concise is best.

Tips for success: Writing an Executive Summary

An executive summary should be included on most cybersecurity reports, proposals, analysis papers, and research papers. Points to consider when creating one include:

- Brevity and conciseness. It should rarely exceed one page.

- Supportable and defensible. While the executive summary is designed for easy reading and digestion of information, supporting data should be easily available. This could be in the form of the accompanying paper, or appendices as appropriate.

- WIIFM. Whenever we communicate from someone else, we need to answer the question What's In It For Me. The C-suite will want to be briefed on why this information is important to the business.

- Well written. If it scores below 90 on Grammarly, you have work to do. Consider the "Napoleon's Private" test, ( have someone else read it and tell you what they feel it means).

- On topic. State the topic, problem, recommendation as needed. Do not put extraneous information in the executive summary.

- No humor. This is not a place for jokes or humor, they can be misinterpreted.

- Avoid acronyms and "techo babble". As techies we speak a different dialect of English than management. Avoid writing anything that is hard for them to understand.

- Designed to be scanned or read rapidly. In general, when you produce an executive summary, it is for someone above your pay grade. Don't make them work to get the message, Make it plain.

- Readable fonts and font sizes. It is very likely your organization has a style guide. Use it. Executives are accustomed to various formats. Under no circumstances shrink the font to make the executive summary fit on one page; your audience very likely has older eyes than you do.

Change history:
Version 1.1 don't use acronyms
Version 1.2 why do I care :)

Wednesday, November 8, 2017

Tips for Success: Creating/maintaining a Lab Notebook

Executive Summary: a lab notebook in this context is a record of the research component of your group project.

Context: when you are assigned a 6100 group project you will be expected to:
- Receive the assignment, meet as a group to determine a plan of attack, produce and submit a project plan to satisfy the components of the assignment.
NOTE: faculty welcomes questions about the assignment. Contact data is embedded in your assignment.

- Begin development of a report. These vary based on the contemporary real world assignment your group is given, but in general have two major components:

+ A non-technical summary of your findings and recommendations
+ A technical report on the work that you did, the lab notebook

A lab notebook historically was a composition book, or similar paper record, where researchers logged their expectations, observations, experiments and results. Today in the automated world, while paper records are still useful they tend to be electronic, often including screen shots.
Example lab notebook from the PCAP contest.

When your lab notebook is graded, the faculty will be looking for the following components:
- A logical flow of experimentation based on the problem you were assigned and the solution approach outlined in the project plan.
- Expectations, hypotheses, theses, before you begin an experiment, there should be a clear understanding of what you are testing, what you hope to achieve.
- Details of the experiment sufficient to reproduce your results. This commonly includes essential record keeping: dates, times, locations, and software versions are common artifacts.
- Results,  these can be fairly terse and informal, they will be summarized in the non-technical report
- Analysis, were the results what you expected? Do they affect the planned logical flow of experimentation.

NOTE: Unexpected results, miscalculations, surprises, happen, they are as much a part of research as expected results. Simply record what happened and your analysis. In some cases these may cause the group to update the project plan. That is not a problem, project plans are designed to be updated.

Monday, September 18, 2017

CCleaner and bestill by beating heart.

I was working on NewsBites upcoming story:

CCleaner Utility Was Infected with Malware (September 18, 2017)

Researchers at Cisco’s Talos have found that download servers used to distribute the CCleaner utility were also surreptitiously delivering malware along with the software. The legitimate, signed version of CCleaner, 5.53, included malware that gathered user information and sent it to a third party. Avast, which distributed CCleaner, estimated that the infected version of the utility had been downloaded by 2.27 million users. The infected version of CCleaner is no longer available for download.

Read more in:
Cisco Talos: CCleanup: A Vast Number of Machines at Risk
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

So I clicked on the link and:













Now you know and I know it had to be coincidence, but I run CCleaner so this one took a few deep breaths.

Sunday, September 10, 2017

Rest in Peace Jerry Pournelle

Sci-Fi author, Byte magazine product review columnist, (Chaos Manner), but also many early pertinent observations about cybersecurity. He will be remembered as a good guy, knew how to work a party. He gets credit for one of the best tall tales, (young guy on a farm for the summer, playing with explosives, pretty much emptied the pond, that last being the part that suspended belief), I ever heard.

My copy of Footfall is in Hawaii, guess it is time for a re-read. Best obit I have seen is here.


Tuesday, September 5, 2017

ISE ISM 5600 Grading Tips (yes, this one is real)

The purpose of this blog post is to provide guidance and coaching to STI students writing their leadership essay.

When the paper is submitted, the FIRST thing I do is run it through Grammarly. As a graduate student at SANS.EDU you have access to the tool; use it. As a grammar checker it is not perfect, but it can find and point out avoidable errors.

Writing mechanics is the last item on the rubric, but if your writing is sloppy, that impacts several other dimensions of the assignment. Clean and concise are two keys to victory.   If you use Microsoft Word, the green and red squiggles can also alert you to writing that can be improved.

If the submission scores below 90 on Grammarly, I tend to stop and pour a mug of hot green tea and settle in; this paper is probably going to take a while. Marginal papers require more effort to grade than exemplars.

A final note on writing quality, several of the rubric items require the reader/grader to understand what the author intended. Slapdash writing does not achieve that goal.

The assignment asks for a single aspect of transformational leadership. Rehashing the definition detracts from your message. If we ask for a focused exposition of “something”, we probably already know what that “something” is. Try to break new ground instead of repeating the fundamentals.

Your grader will also look at the literature research, or, references. The key to winning is quality. If you have thirty ill-chosen, vaguely related references you can expect a low appraisal. There is nothing wrong with using printed literature, but your grader may not have access to those items, consider at least a few Internet references that can be validated.

Speaking only for myself, I tend to grade style gently, (8.0 is neutral), If it is extraordinary, I will mark the paper higher, if it is painful to read, I choose a lower evaluation, but I am not a literary critic and know it. That said, when the rubric mentions transitional sentences at multiple scoring levels, take the time to put a few in! 

Finally, your graders are rooting for you. We want you to succeed. A day where we get to nominate a paper as an exemplar is a good day indeed. Please take the time to give this your best effort. If you shoot for the minimum passing score and miss, nobody wins.


How I grade ISE/M 5600 Leadership Essays (parody)

NOTE: this document is an attempt at humor after a long day. There is a serious version of the same basic topic on my blog.

After a string of either failing, falling, low, or lower grades, We thought it might be helpful to offer a peek behind the curtains. This is how we, at the great and powerful Oz really grade Leadership Essays.

When the paper comes in, the FIRST thing we do is flip a coin, you can check the blockchain. Heads, we run it through Grammerly. As a graduate student at SANS.EDU you have access to Grammerly; think about using it, (it even checkz spellin). It is the last item on the rubric, we do that to trick you into thinking it is not important. But if the truth be told, if your writing is sloppy, that impacts several other dimensions of the assignment such as time, height and weight. Crisp and clear are too keys two victory.  If the paper scores 95 or higher on Grammerly, I usually don't take a break, I dive right in and fill in the rubric without reading it.

If the paper scores below 90 on Grammarly, I tend to stop and pour a mug of cold beer; this one is going to take a while. Marginal papers require actual work on the part of the instructor. That is a bad situation for both you, the student and the economy, please avoid it.

A final word on writing quality. Several of the rubric items require the reader/grader to understand what the author intended. It would help if you actually intend something.

The assignment asks for a single aspect of transitional leadership. A rehash of what transitional leadership is probably detracts from your message. We have all been through re-organizations, job creation, abolishment and economic restatements. Try to break new ground instead of repeating the fundamentals.

Your grader probably won't look at the literature research, or, references. The key to winning is quantity. If you have thirty ill-chosen, vaguely related references you can expect a high score, because they don't know. One or two references is, however, a losing proposition; this isn't a book report. There is nothing wrong with using printed literature, your grader may not have access to that, consider at least a few Internet references that can be validated in the unlikely event they check.

Most graders are fairly neutral about style, 8.0 is fairly neutral and that is what you should expect to receive. If it is extraordinary, they may go higher, if it is painful too read, they may score lower, but they are not movie critics, hence, the neutral score on style. That said, HINT, when the rubric mentions transitional sentences at multiple score levels, put a few in! The key is to repeat the same word in the last sentence of one section, then use it again in the next. Consider, putting these repeated words in bold for ease of grading, as well as to make grading easier.

Finally, your graders are routing for you. We want you to succeed. We get a dollar bonus if a paper we nominate as an exemplar is approved as a nominated exemplar and posted on the nominated exemplar section of the web page.

Wednesday, July 19, 2017

Senior Enterprise Architect Wanted - I think this is in the Washington DC area


(Please forgive the grey shading, this is what I got from the recruiter)

For further info, please call:
Gregory Price
Vice President of Defense Programs
Trowbridge & Trowbridge, LLC

Cell: 815.531.9667
1430 Spring Hill Road, Suite 200, McLean, VA  22102 |  www.tt-llc.com  |  O: 571-298-8478 | F: 571-499-4153


= = = = =
Senior Enterprise Architect 

Work Experience, min 12 years:
5+ years primary role operating, troubleshooting, installing network routers and switches
5+ years primary role designing, architecting routed and switched networks
2+ years as senior or lead network architect in multi-tenant network
2+ years as senior or lead network architect in planning, designing, and building software defined networks 3+ years DoD environment

Certifications:
At least two nationally recognized certifications for senior network administrators/engineers/architects, and one of these certifications must be tied to the proposed solution’s routers and switches.
IAT Level III in accordance with DoD 8570.01-M http://iase.disa.mil/iawip/Pages/iabaseline.aspx
Education:
Bachelor’s degree in Information Systems, Engineering or Equivalent; Master’s degree preferred
Demonstrated Skills:
Ability to analyze requirements; plan and develop technical solutions and frameworks; develop test and implementation plans, analyze and evaluate networks,
Use of current and emergent network design principles and protocols
Experience with network virtualization technologies and vendors
Experience with multi-tenant network architectures
Experience with specific designing and modernize a complex network to separate control from data planes. Familiarity with a width variety network routing and switching equipment devices from multiple vendors Scripting languages such as Pearl, Python.

Awareness of DoD JIE-JRSS architecture, and design experience for a DoD network within the last 3 years.
Clearance:
Active or current Top Secret clearance, SCI eligible, adjudicated through DoD Central Adjudicative Facility (CAF).
67 of 79 SDN Solution Final PWS v1.0 As Of: 23May17_1700hours 

Friday, July 14, 2017

Cybersecurity research: What and How

Friday July 7, 2017, I was asked by the folks at SANS.EDU to help the graduate students submit research proposals to be evaluated by the STI research committee. It was fun work, and a glimpse at a new, (to me), part of the research process at STI.

In the first batch there were a number of potentially great proposals, but only one student took the time to clearly articulate what she was going to do and how she was going to do it. Not surprisingly, when this proposal reached the committee for a go/no go decision, the answer was go, (approved), and several faculty members volunteered to be the advisor on the project.

The experience led me to wonder, "what is the difference between the successful project proposals and the ones we evaluate as not yet ready?" From the title of the blog post you can probably guess the answer is the successful students clearly articulate what they are going to do and how they are going to do it. Before we examine that, let's take a minute to define a Cybersecurity Research Proposal. There are, amazingly, three key words to consider:

    Cybersecurity: all of the proposals fell into the realm of computer security, so we don't need to belabor this point. We can leave Better methods of picking daisies to some other worthy institution.

    Research: we ran into some problems here.  Research is studious inquiry. Research is not regurgitation of already published information, or an opportunity to recount one's personal experience.

    Proposal: this is where the student defines what they are going to do and how they are going to do it.

As mentioned, most of the proposals had potential in the sense that the topics were timely and interesting. So where did so many miss the mark?  There seemed to be two major pitfalls, overly broad topics, (failure to succinctly define "what") and research process that cannot be practically accomplished, (failure to pragmatically understand/define how).

Since it is frustrating to be sent "back to the drawing board", here are a couple suggestions for success the first time through the process.

1) Know what you want to do. Ideally, your topic will be something that you want to learn more about, or that will benefit your employer. In the best of all possible worlds your topic will satisfy both conditions. If you do not know what you want to do, you will not be able to explain it in the proposal. That results in "fuzzy writing" which ends up frustrating all parties, student and advisor. Only you can know what you want to do.

2) Use the literature search part of the process to explore the uniqueness of your proposal. If there are lots of papers, tutorials, YouTube videos, etc on "Using Wireshark to monitor the TCP/IP 3 Way Handshake", it could be an indication that ground has already been covered. However, keep in mind that just about everything you can imagine has been published on the Internet in one form or fashion. The published material may not be supported by studious inquiry and/or empirical results. In that case, you may still have a valid topic and this is a discussion you should have with your advisor.

Summary: if your research proposal: reflects studious inquiry, covers new ground and adds to the body of knowledge, clearly explains what you intend to do and how you intend to do it, then the odds are better than average it will be accepted the first time.

Wednesday, June 7, 2017

Guy Bruneau Commendation

No one can remember a time when this was issued to a civilian, (maybe Guy has a uniform stashed away in a closet somewhere, eh).


Friday, June 2, 2017

What Are Your Data Protection Best Practices? Please take our SANS Survey

From Deb Radcliff
Editor-in-Chief

For years, cradle-to-grave data protection has been a pipe dream, but today it’s even more important because data moves into and out of the cloud, onto mobile devices and elsewhere outside the perimeter. That’s why SANS is now conducting its first survey on Data Protection Best Practices and we’re asking for you to take the survey and share your experience and knowledge.

In the survey, we want to find out who holds responsibility for data security, what type of sensitive data (and associated regulations) organizations are handling, and how well their security programs keep up with agile development, DevOps, containerization and other contemporary development methodologies.

Results and advice will be shared in a SANS community whitepaper developed by SANS Analyst Program research director, Barb Filkins, who specializes in healthcare and data privacy laws. The paper will be provided to the community during a live webcast and also presented at the SANS Data Breach Summit in September. 

The goal is to get the dialog moving on cradle-to-grave data protection, identify weak links, improve data protection practices, and raise awareness at the highest levels of the organization.

“From a legal and regulatory viewpoint, management is very often the responsible party for setting policy around the protection, privacy and security of data held by the organization,” says Filkins. “Yet they are often unaware of the risks involved in protecting the actual data and information. The results of this survey will help managers and their IT staffs identify and remediate these risks.”

We call upon your experiences: Please take the survey (and in the process you may also enter to win a $400 Amazon Gift Card OR a free pass to the SANS Data Breach Summit). Survey will be removed June 26.


Tuesday, May 30, 2017

Improving phishing detection methods

We all know detecting things we do not know exist such as a zero day attack is hard if not downright impossible. However, that does not mean that the occasional joust at a windmill is off the table.

Early this morning, (my time), a member of the GIAC Advisory Board, Kevin Holleran posted a comment that maybe if we could categorize types of phishing that would give us some traction. His original list was:

- Call to Action from a Position of Trust (i.e. CEO Fraud)
- Offers / Products
- Trusted Services (masquerading as Dropbox, Office, etc.)
- Targeted / Spear
- Spoofed Insider
- Credential Harvesting

- Simple (sentence) vs. Complex (HTML)

If you have suggestions on:
- Additional categories
- Keywords or phrases to identify those categories

Please add them to the comments field on this post or the Linkedin announcement. I realize there are a number of scholarly papers on automated phishing detection and over the weekend I will pour through a few, but I am interested in ideas from the people in the trenches. 

Before you say, "that will never work". Let me remind us of a similar field, in fact, I should check they may have already solved this and that is SPAM in general.

A long time ago, my employer, SANS, was a LAMP shop. Our SPAM tool was Spam Assassin. Yes, it had to be configured weekly and yes, there were leakers, (SPAM that got through the filter). As the company grew, they started looking a commercial software and suggested Barracuda. People loved it. SPAM never bothered me, I just deleted it, but the improved solution meant a lot to a lot of people. Here are a few words from Barracuda on how they did it: 

A message "is scored for spam probability. This score ranges from 0 (definitely not spam) to 10 or higher (definitely spam). Based on this score, the Barracuda Email Security Gateway either tags (inbound messages only), quarantines, blocks or allows (or sends, for outbound) the message."


Kevin, Lance and I would love your ideas please post them in a comment field, the occasional snarky remark is fine as well, but go for humor. I used Kevin's ideas with permission:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Absolutely, I am very interested in feedback from the community.

I also agree with Lance's assessment as far as the focus on training, but I believe there is considerable value in being able to focus on realizable threats to a specific organization.  We are not going to be able to get 100% coverage of every threat out there in our programs, so let's work to drive the most value.

Thanks.


--
Kevin Holleran
Master of Science, Computer Information Systems
Grand Valley State University
Master of Business Administration
Western Michigan University
ISC2 CISSP, ISACA CISM, COBIT, GISP, GLEG, GCCC, GASF, GAWN, GMOB, GXPN, GCFA, GCFE, CCPA, CCLO, PCIP, PCI ISA

"Do today what others won't, do tomorrow what others can't" - Smokejumpers Creed

Tuesday, May 23, 2017

Where are all these people coming from, (cybersecurity experts)?

In 1997 I knew about half the packet ninjas in the world and if I needed an insight from someone I did not know I could get an introduction. As the security world grew and my focus started to change to general cybersecurity, I was able to track the majority of the folks with the time, talent, knowledge and name recognition to be a SANS Instructor. I even managed to keep up with things for a while as we started to break into disciplines, forensics, pen-testing etc.

I joined Linkedin in 2007 and soon worked my way up to about 200 connections. Fast forward 10 years and it is 11,337 according to the website. Do I actually know 11k people? I don't think so. When I read about conferences other than SANS, it is common for me to not recognize a single name. But if I look them up on Linkedin or some other source they are all world renowned experts in whatever cybersecurity field grabs their fancy.

One of the few things from my Virginia Tech Artificial Intelligence class in 1997, that is still with me, "The problem with expert systems is there aren't many actual experts to build them". Exactly.

Trying to keep up in this field is hard. You post a few packet decodes, marvel at some of the Wannacry decodes, even build a chatbot in case that is the new, new thing. But nobody on this planet is going to stay current in all the cyber disciplines.

Which brings us to the core issue of this post. How do you tell real balanced news from biased news from "fake news". It is a very hard problem. How can you identify a competent doctor from an incompetent one? Thank heavens it was a minor problem, but I visited three podiatrists in a row that did not appear to know a foot is the thing inside of a shoe. How can you tell a competent cybersecurity practitioner from the "fake news" version. Let me illustrate with a simple example. When Wannacry came out, everyone that was switched on was sharing information and had a pretty good idea of how it worked and what was vulnerable. Three days later you started seeing every security vendor posting a webcast, document, you name it. And the titles, some were straight out of the marketing department.

We have some tools to separate the cybersecurity wheat from the chaff. There are respected certifications, look for specifics on resumes like tools, publications and presentations certainly help. But it is tricky. Anyone that has been in the field for a while has had the unpleasant experience of interviewing someone for a job that sounded great and after onboarding couldn't even find the bathroom. I thank the Lord the first one of those I experienced happened three weeks after I took on a management role; I have been gun-shy ever since. I have also found some of the MSSP sales presentations to be jaw droppers. This is another case of being lucky over smart, one of my friends was director of operations for one of the first MSSPs. The would literally take people off the street, (with aptitude), give them three weeks training and shop them as experts.

To summarize. Not everyone in cybersecurity that claims to be an expert actually is, but hey, you already knew that. You also know one are more people in the field that have expertise, (at least in some aspect of security). Hang on to those connections, stay in touch, once or twice a year is plenty. Then, when you need information, use a validated source. You are going to pay either way, might as well get something useful for your money.

Saturday, May 13, 2017

Honeypots and the French election

NOTE: this post is primarily a reprint of other sources. I credit them of course. I just wanted to get the information in one place for quick reference. The main points that cannot be reasonable disputed are:
- There was some sort of attack on the Macron presidential election campaign targeting email and documents.
- The tech savvy Macron folks had prepared in advance with a honeypot strategy that was at least partially effective
- Many indicators are Russian in nature with Fancy Bear/APT28 at the top of the list, however, Forbes was wise to bring attribution into question. I have worked on attribution in one manner or another for fifteen years and there is a real risk of drawing an incorrect conclusion.

An article published by Ars Technica describes the Russian attempt to influence the French presidential election. "The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.
"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

In their haste, they left tailtale signs of their identity, "According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as "Fancy Bear" or APT28) in a March 15 "phishing" campaign using the domain onedrive-en-marche.fr. The domain was registered by a "Johny Pinch" using a Mail.com webmail address. The same threat group's infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year."

Forbes, however cautions the evidence is not conclusive, "And, Doman told me, he had not seen "anything definitive" linking the two phishing domains found by Trend Micro and the Macron dump, "though it seemed likely."
Muddying the waters even further is the fact that En Marche's digital lead Mounir Mahjoubi indicated to French press Macron's campaign may have put its own fake data on its servers as part of a "honeypot," set up to attract hackers and trick them into pilfering tagged data. Typically, honeypots are used as traps to track attackers' activities."

Attribution is, and will always be, one of the most challenging problems of cybersecurity response. The folks that are willing to say "probably" as opposed to "surely" are to be congratulated.

This operation will certainly add credibility to Macron's emphasis on cybersecurity and tech for France and his efforts to combat extremism. "French presidential candidate and frontrunner Emmanuel Macron said on Monday he would step up efforts to get technology firms such as Google or Facebook to share encrypted content from messaging services with authorities."

"With an eye on the Elysée Palace, Mr Macron has been only too happy to associate himself with France’s burgeoning tech scene, hoping its open-mindedness and can-do attitude would reflect back on him. When he was economy minister he hastily organised a glitzy reception for him and French entrepreneurs at the Consumer Electronics Show in Las Vegas in 2016. Prosecutors are probing irregularities in the way the party was organised, although the investigation does not involve him.
As economy minister in a socialist government he enthusiastically backed a government initiative to promote the country’s tech ecosystem under a single brand at home and abroad. “Macron has been a strong advocate for the French tech scene,” says Frederic Mazzella, co-founder of ride-sharing company BlaBlaCar."


Monday, April 17, 2017

Brett Whittaker - looking for cyber job Augusta GA Area


Brett Scott Whittaker
                                                               529 Waterford Dr    
Evans, GA 30809
(410) 979-9493 (410) 672-0637
brett@brettwhittaker.com



OBJECTIVE:  Seeking a position within the Development or Computer Network Operations (CNO) communities that is commensurate with my experience, challenging in scope, and dynamic in opportunity.

KEY QUALIFICATIONS


·      Software Development
·      Cyber Operation Instruction
·      Network Analysis
·      Network Operations
·      Intelligence Analysis
·      Digital Forensics
·      Training Management
·      Top Secret/SCI Clearance


                                                                                                                        
EXPERIENCE
Aug 2015 – Apr 2017: Exploit Development Instructor and Training Content Author
·      Professionally instructed hundreds of students in exploit development on linux and windows platforms so they may better defend against the techniques.
·      Authored & built Reverse Engineering courseware that demonstrated virtual memory, stack operations and registers to meet DoD Cyber contract demands.
·      Created professional training materials on modern & legacy encryption techniques for multi-million dollar government contract fulfillment.
·      Utilized gdb and Immunity debuggers to analyze software and develop buffer overflows to defeat ASLR, DEP, stack canaries & cookies for demonstration.
·      Crafted & taught Python scripts to automate analysis and launch remote exploits.
·      Built and demonstrated web exploits to include SQL Injection, Cross Site Scripting, Authentication and Session Management, and others.
·      Trained students on the Metasploit framework to enable exploit communications.
·      Educated DoD cyber warriors on basic/intermediate linux operating system skills.
·      Instructed automation techniques utilizing bash, batch and powershell scripting to survey remote network hosts, network devices and local computers.
·      Developed applications in C and Assembly to demonstrate stack overflow vulnerabilities and proper defensive coding practices.
·      Authored student evaluations based on in-class tasks, formal tests and hands-on performance in active networks for government job-role assessments.
·      Developed and built multiple web-based training modules that provided on-demand remote learning including narration, demonstration, labs and testing.

Dec 2011 - Jul 2015: Analysis Flight Chief, Operator, Planner, Network Warfare Unit
·      Conducted computer network exploitation operations to include characterization, vulnerability scanning, and exploitation to fulfill tailored intelligence needs.
·      Performed in-depth network analysis derived from multi-sourced data and authored operational cyber plans for execution organization-wide.
·      Created and managed the 105 Cyber Combat Mission Team (CCMT) training program that served dozens of members and instructed topics that included network analysis, intelligence, doctrine, operations and critical thinking.
·      Managed Joint Qualification Requirement program that ensured dozens of team members met and maintained qualifications, learned technical skills, and remained current on doctrine and regulations.
                                     
Oct 2006 - Nov 2011, Operations Section NCOIC & Operator
·      Performed vast numbers of real-world cyber operations that produced many intelligence products delivered to internal analysts and external customers to include multiple military services, intelligence agencies, the US State Department, and the President of the United States.
·      Performed digital forensics on vast numbers of computers and networking devices that ran numerous operating systems that included Windows 95, Windows 8, *NlX based platforms and various networking systems.
·      Trained dozens of network operators on tools, techniques and procedures for advanced network operations and operational security.

EDUCATION & VOCATIONAL TRAINING (partial list)
AS — Information Systems Technology, Community College of the Air Force, 2015
SANS Hacker Techniques, Exploits and Incident Handling, 40 hours, June 2014
SANS Security+, 40 hours, October 2013
SANS Reverse-Engineering Malware: Malware Analysis Tools/Techniques, June 2010
SANS Developing Exploits for Penetration Testers & Security Researchers, June 2009
Learning Tree International Certified Ethical Hacker, March 2009
Windermere Digital Interactive Network Operations Course, 480 hours, May 2007
Preliminary Tactical Digital Forensics: Section Zero, 1100 hours, Dec 2007
Prior Air Force Courses: Advanced C & Ada, Oracle 7, Object-Oriented Design, etc.

PRIOR POSITIONS
105 Combat Mission Team, Cyber Fires Planner, 2014
SIGDEV Strategy & Governance, Network Analyst, 2013
Requirements & Targeting, Exploitation Analyst, 2013
Operations Center, Interactive Operator, 2007
Communications Computer System Programmer, 1992-2006

CERTIFICATIONS
Certified CompTIA Security+, Oct 2013 - Present
Certified Information Systems Security Professional (CISSP), Apr 2009 – 2012 (expired)