It's hard to believe summer is gone, fall is slipping away, and winter is just around the corner. Would it be too hard to believe that I've been too busy to blog? (err…my last post was in July!). To get things rolling again, let me share what I've been up to the past 3 months:
I worked on two security visibility and response projects. Both organizations have several layers of security safeguards, but lack the ability to efficiently and effectively visualize and report on the big picture. If you smell SIM technology, you're on the right track. It's encouraging to see security admins resolve an incident without bouncing through 4 or 5 systems to collect basic information. If you're current SIM solution leaves you with more questions than answers, then please stay tuned for a post on a great solution.
I also led several penetration tests, targeting network, application, web, and client-side layers. While most edge (Internet) systems are free from OS level weaknesses, the OWASP Top-10 bugs are still prevalent. XSS and SQL injection continue to plague not just Internet systems but also internal systems. This should not be a surprise — the edge still gets priority in patching. With the prevalence of client-side attacks, however, I am seeing a definite up-tick for internal patching. Which leads to this point — when Internet hosts are patched and firewall rules are stringent, target the end-user. It's working for cyber criminals and it worked 100% of the time during our summer/fall penetration tests.
There's been a spattering of small 2 or 3 day projects spread in between to fill-in the gaps. Web app assessments, teaching a pen-testing class, and building an incident response plan for a billion dollar organization.
I'm looking forward to winter. I might actually get a chance to wax the snowboard and carve it up. Stay tuned.