NSA TAO Chief Rob Joyce on network defense

The above video is from the USENIX Enigma conference, in which Rob Joyce, Chief, Tailored access Operations, of the National Security Agency spoke. He spoke from the attackers perspective and gave some best practice advice and recommendations. Those that have been in the information security perspective for any extended period of time won't be surprised, but it's worth repeating.

I would recommend watching the video. It's only about 35 minutes long. If you don't have the time here are some notes I took on the talk.

BEST PRACTICES

  • Perform a third-party penetration test

  • Fix the items in the penetration test report

  • "You have to be continually defending and improving"

  • Understand the normal baseline for the traffic on the network

  • Monitor the network

  • Least privelege

  • Network segmentation

  • Enable and audit logs

  • Application white-listing (at the very least do high risk assets)

  • Anti-virus - reputation services

  • Incident response plan

 

RECOMMENDATIONS

This post first appeared on Exploring Information Security.

Implementing Best Practices

Best Practices - The Only Thing Worse Than Compliance - Rafal Los - Following the Wh1t3 Rabbit

This is a really good post on best practices and how they're implemented within organization. Best practices reminds me of the gaming term, "cookie-cutter spec." In some video games you get these things called talent points that you can put into different spells to improve them. You're only given so many points to use on skills so you have to place them in a way that maximize your character. A cookie-cutter spec is a talent point set or build that has been proven to work for a majority of people playing that character based on statistical data.

The thing is, not everyone plays the character the exact same way so it's important that you take the base of the build and modify it to your play style. The same thing applies to organizations when it comes to information security or any IT best practices for that matter. Take the core best practices and then modify the rest to fit your organization.

This post first appeared on Exploring Information Security.

Safety Starts With Strong Passwords

This is a post I wrote for work talking about how to create a strong password.

Creating a strong password is one of the best things you can do to keep both yourself and your accounts safe, both at work and at home. However, creating a strong password is not the easiest thing to do and requires a little bit of thought.

If you choose a long string of random characters, the password is strong but easy to forget. If you choose a much shorter password without any random characters, then it’s easy for someone to guess. The idea is to find a balance between the two. A recent study of passwords that had been compromised, showed the top 10 worst used passwords were:

  1. 123456

  2. password

  3. 12345678

  4. qwerty

  5. abc123

  6. 123456789

  7. 111111

  8. 1234567

  9. Iloveyou

  10. adobe123

Fortunately, most places have a set of password requirements designed to keep your information safe. That does create a bit of a challenge for users because you are required to change your passwords every three months. Here are some tips that will help make the seemingly daunting task of creating strong and memorable passwords, a little easier.

Pick a Theme

Most organizations will require a password to be at least eight characters—with  at least one special character and one number. Try to think of something in your life, non-work related, that has all three of those elements.

Some examples include:

  • Restaurant menu

  • Retail stores

  • Hardware stores

  • Legal documents

  • Food stores

Once you have a theme, start mixing and matching numbers in a way that you can remember. For example, Chicken Strips for 14.99 from a restaurant could be ChSt14.99 or ChcktRips14.99 or Ch1ck4Nst9i9s!

There are thousands of different passwords waiting to be thought up from everyday life. The one caveat is, that if you create a password from your everyday life, make sure you’re not posting it all over your social media site. It’s pointless to use chicken strips as part of a password if you’re tweeting about it for the world to see.

Pick a Phrase

Pick a phrase and then use a combination of letters, numbers and special characters to craft your password. For example, Take The Bull By The Horns could be T-tB-b-TH0 or T8k-7@buLL-bi*7-h0rns or T-T@8’8@T-H0. Be intuitive about it and craft it in a way that you can easily remember it. The same rule applies here; don’t use your own personal catchphrase that’s on your social media profile. Don’t use anything obvious because phrases are easily searchable, especially if they’re popular.

Other Ideas
The two suggestions above are only a couple of ways to create strong and easy- to-remember passwords. It just takes a little thought on the front end. Find something that works for you, and once you do it’s much easier to change and improve on a regular basis.

This post first appeared on Exploring Information Security.