Configuration Management (Case Study)



Ensuring that the condition of our systems are in a known, good, and trusted state is imperative to ensuring a high available network, which doesn’t not rely on implicit knowledge of the IT development teams. Having random available access to current and historical systems states are instrumental in helping project management perform adequate audits and for the development teams to perform debugging. Continue reading

Assignment System and Services Acquisition (Case Study)

Seven StepsIntroduction:

It’s critical for the company to convey its information security requests with transparency and specificity when obtaining systems, parts, and services necessary for business success. After reviewing current information system security controls, we have determined that there is a need to overhaul current practice by implementing a new set of security tools necessary to help meet or exceed current and future industry regulatory standards. Continue reading

Cloud Computing Access Controls (Case Study)


Cloud providers are tasked with providing cohesive trust and security relationships. In many cases, cloud users and cloud service providers belong to different trust domains. Due to the inherent nature of cloud computing’s multi-tenant and virtualization features, unique security and access privileges present challenges due shared resources among potentially untrusted tenants. As a result, privacy, trust, and access control, are critical issues that must be dealt with in cloud computing. Continue reading

Defense-In-Depth (Case Study)



Our current effort at implementing defense in depth needs to be overhauled and one of the areas of major concern is a mobile device. We recently paid out a total of $60 million in settlements as a result of stolen sensitive private information from our customer data centers located in two of our major markets, Mexico and the Philippines.

As a result of the negative press, our customer satisfaction has dropped to an all time low of 20%. According to our estimates, we can easily achieve a 90% reduction in incidences by initiating a small number of low cost countermeasures. Continue reading

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption)



This document will examine DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), which is a vulnerability that attacks the TLS protocol while traversing secure HTTPS connections. This vulnerability is especially dangerous to any organization engaged in E-commerce with the need to complete financial transactions. TLS establishes secure HTTPS connections, which is typically done through the use of a web browser, allowing users to utilize applications such as: email, online shopping, instant messaging, online education, etc.… all with the benefit of an encrypted connection. Continue reading

Defending Against Password Attacks


Let’s face it; MAC filtering is not an effective way to combat brute force attacks against pre-shared keys. On my Access Point (AP) at home, in other words my home router, I use MAC filtering not as a security mechanism but rather as a way to assign a private IPs to a specific device’s MAC address using a method called “IP Reservation” with DHCP. This basically ensures the IP is reserved and ready for use on that particular device the next time it connects to the network. With that said, defeating MAC filtering in regards to cracking pre-shared keys is very doable. MACs can be masqueraded “spoofed” very easily, such as, capturing an end-user’s MAC address using a passive network scanner. Continue reading

Ubuntu Linux Service Offerings


This forum will help distinguish the differences between Ubuntu Desktop and Ubuntu Server products in addition to discussing the various support mechanisms available with the Ubuntu Linux distribution. Key differences between the two products will be explored as well as details regarding the Ubuntu community and how effective its website is at meeting the needs of its users. Lastly, one alternative Linux distribution will be discussed detailing its product offering and how it compares to the Ubuntu Linux distribution. The parent company that is the primary developer and the main distributor of the Ubuntu distribution is a company headquartered in the UK called Canonical, which is a privately held organization.

Continue reading

The Internet of Things (IoT)


IoT may not be apparent in the lives of many but it’s largely already present. Perhaps it’s a lack of imagination, ingenuity, or observation, on the part of consumers but IoT encompasses far more than anyone had previously envisioned. IoT touches virtually every aspect of our daily lives with the purpose of adding conveniences that didn’t exist before. How does this impact industry including auto manufacturers and healthcare providers? These questions are what drives this discussion and will be explored in this paper by referencing recent events as they are happening today.

Continue reading

Risk vs. Costs of using a template or custom IT Security policy


Example IT security policy power point presentation:


You were just hired as the CISO for ABC Medical Services, a large, hospital chain that:

  • provides services in six hospitals within the New England area,
  • has IT systems supporting both administrative (e.g., email, accounting systems, etc.) and critical life support medical services,
  • accepts credit card payments for hospital services,
  • does not have an IT Security Policy, and
  • did not previously have a dedicated IT Security function.

The hospital’s Board of Directors is composed of only medical professionals, with no IT background, but the C level officers (e.g., CEO, CIO, CFO, etc.) are all very proficient in their specialties.  The Board of Directors and the C level officers only have a superficial understanding of IT security.

Continue reading

Thinking Like a Hacker – “How to Mitigate Attacks”


It seems like almost every week there’s a new giant cyber security breach in the headlines. Some major corporation or government entity has yet once again been hacked by cyber criminals. The question we keep asking ourselves is how did this happen. Not again! The truth is that all these major security breaches were bound to happen as some point because cyber criminals are becoming much more exploitative and cunning when it comes to making a political statement or attempting financial gain. This is nothing new but what is new is the size and scope of these attacks. Cyber criminals have become emboldened by the seeming vulnerabilities projected by each subsequent successful major American corporate breach. It doesn’t help when U.S. government agencies aren’t able to prosecute the perpetrators of these crimes. Enter, a new way of thinking…”Think Like A Hacker!”

Continue reading