Friday, June 24, 2011

Spear Phishing

Spear phishing is a common way that attackers get into organizations. Sometimes, when attempting to spear phish an organization, an attacker will spoof one of the targeted organization's email addresses to make the spear phishing message look more legitimate. Mail protocols aren't great at prohibiting this, and thus, it's a fairly successful technique.

A simple analytical method to monitor for this is to watch mail logs or a PCAP solution for "From" addresses claiming to be from within your organization, but from mail gateway IP addresses or sender IP addresses that are outside of your organization. The data resulting from this is quite fascinating. Have a look!

GFIRST Presentation

The GFIRST Agenda came out today, and I saw that I will be presenting on the Wednesday afternoon of the conference. I'm going to be speaking about layer 7 meta-data. My goal is to get people thinking about the difference between data value and data size. I'm hoping the talk is well received!

I always enjoy GFIRST, as I seldom have the opportunity to be around so many like-minded analyst geeks at one time.

Monday, June 20, 2011

4G Hotspot

I recently picked up a 4G hotspot and am loving it so far. It did make me realize, however, that there are now more than a few options for bringing your own network with you wherever you go and hopping on-line from anywhere. Think mobile phones, tablets, 3G/4G hotspots, etc. Why am I blogging about this? Because it occurred to me that it's now possible to physically sit inside an enterprise and send and receive information over your own portable network. Guess what? There's no way for an enterprise to monitor that. Scary.

Loss of Visibility

A couple of months ago, I spoke on a panel discussing some looming challenges in the field of cyber security. As might be expected, many people asked questions of the panel relating to the move to cloud computing. At one point, I was asked what my greatest fear was relating to the cloud. My answer? Loss of visibility. When an organization moves to the cloud, that organization effectively outsources all of its logging and auditing. What if the cloud provider doesn't have all the painful lessons learned that many of us do? It pays to ask, IMO.

Remember, even the best analyst can't identify security issues on a network if the data isn't there to support the analysis....