Security Hygiene: The easy stuff we don’t do

Cybersecurity is a complex topic. It crosses all industries and affects everyone. Even in academia, cybersecurity is a multidiciplinary program. We, as “security people” spend a lot of time focusing on the next threats…on the next big risk areas…on securing the next...

Advice from NSA TAO…

Advice from NSA TAO…

Last week the USENIX Enigma conference hosted a number of great presentations, including one from Rob Joyce, Chief of the NSA Tailored Access Operations (TAO) Program. He provided some great advice that I've spoken about many times in the past, including on this blog....

Trading ESXi for [OpenStack, CloudStack, Hyper-V]

I've become a little frustrated with ESXi in my homelab, specifically the lack of features without a paid license, hardware support, and the nightmare called "upgrading." All my reasons aside, I decided to take some time over my holiday break to build a new server,...

Cloud Border Visibility

Maintaining network visibility is one of the biggest concerns in moving to the cloud. Fortunately, many traditional tools and techniques still work in a cloud environment. Network visibility is a broad topic. However, in this post, we will discuss maintaining network...

The Permissions Gap (Part 2)

Today I presented the results of my research on the permissions gaps in modern operating systems. I presented a background on modern permissions systems, access control fundamentals, and showed some proof-of-concept code to show the implications of, what I call, the...

The Permissions Gap (Part 1)

Tomorrow I'll be presenting at the 2015 ISSA International Conference in Chicago. My topic and Title: The Permissions Gap.  I'll be presenting the results of one of my research topics from the past year on the "reality" of operating systems permissions. In this...

Common Sense Security

The occurrence of data breaches has been on a continual rise over the past 18-24 months. Some of this is arguably due to increased reporting, but what about the rest? How do some of the largest companies in the world manage to get breached by so-called "advanced"...

Adaptive Password Policies

Adaptive Password Policies

Stanford recently published a new security policy allowing their users to choose length over complexity.  Password complexity has always been the go-to answer for creating secure passwords. Of late, there has been a big push to change that; and for good reason!...

You don’t need my passport…

You don’t need my passport…

I decided to switch web hosts over the past week and ran into a rather upsetting situation. In an attempt to "verify" my identity, a major web hosting company requested a copy of my driver's license or passport...but why? It may seem logical that if you give someone...

Open Source Enterprise Security

Open Source Enterprise Security

My second presentation at BSides Orlando 2014 was on Open Source Enterprise security solutions. The idea was to present a number of tools to help the struggling small business meet enterprise security objectives.  It's easy to forget that many (most?) small businesses...