Leader, noun – the person who leads or commands a group, organization, or country

Lead, verb – be in charge or command of

Great, adjective – of ability, quality or eminence considerably above the normal or average

Almost everyone either wants to be a leader, or views themselves as a leader. I’ve been asked several times whether I think “person X” is  a good leader.  I firmly believe that all leaders, whether good or bad, should aspire to become great leaders.

Everyone has the capability to learn leadership skills and opportunities abound. You can buy books on Leadership. You can attend classes on Leadership. I just did a Google search on the phrase “how to become a leader” and came up with about 942,000,000 results.

Regardless of the context – home, business, technology, sports, church, school, online, or ??? – great leaders are needed. And, surprisingly, everyone is a leader to someone… and everyone follows the leadership of someone!

Here’s some homework for you. Answer the following questions…

1. Who are you leading? Why are you leading?

2. Who are you following? Why are you following?

3. What should you learn from one of your leaders?

4. What leadership trait do you feel you need to further develop? Where are you weak? What strengths do you have?

5. What attitudes and actions to you see in good leaders and bad leaders?

So, think about the questions. In the weeks ahead we will be further exploring leadership.

Until then,

- Dan

Over the past few months, we have been hearing about DNSChanger and been alerted that the FBI will be shutting down the Internet on March 8, and then again on July 9.

There’s a lot of fear and anxiety about this for folks who really don’t know what is going on.

The clearest and most understandable description of the technical issue and impact of DNSChanger that I’ve found is from the good people at Windows Secrets. Go there and read this article.

(While there you should take the time to subscribe to the newsletter. I’m pretty sure you will learn something from it.)

If you don’t really care about anything other than “Am I infected?”, follow the Windows Secrets advice and go to the DNSChanger Working Group detection page. If you are infected, then seek appropriate help to get your system cleaned up. Or, if you want to do the cleanup yourself, some general guidance can be found on the fix page.

Have fun!

- Dan

Disclaimer: I use a MacBook Pro almost exclusively for personal and business activities.

Many folks bought a Mac because they drank the Kook-Aid that said it was more secure that a Windows computer.

The last couple of weeks have shown that not to be the case. Flashback is not something you want on your Mac.

You should read this article from OS X Daily – 8 Simple Tips to Secure a Mac from Malware, Viruses, & Trojans. The advice is sound and practical.

One caveat: There are actually some Internet sites that don’t work if you have Java disabled. My approach is to disable Java, then see what doesn’t work. Only re-enable if there is a legitimate need.

Looks like Mac users are finally getting in on the fun that Windows has provided for years!

- Dan

I opened my email this morning and was greeted with this letter…

Don’t think I’m going to fall for this one.

What are some indicators that this is either legit or not?

• NOT – It sounds too good to be true.
• NOT – Sensitive proposal sent as pdf in unencrypted email
• NOT – Many scams like this are still coming out of Kenya
• NOT – “Dear Strom”
• NOT – The hook – “…30% of the total sum which I would disclose in my next email.”

I really didn’t find a single thing in the letter that might lend credibility. I think I’ll pass on this sensitive business proposal.

You should always be alert for scams like this, as well.

- Dan

Have you ever received an email like this one?

I hope that you carefully review any email you receive before blindly clicking on the links.

This one tries to fool you into giving up your email account credentials.

Don’t fall for this. Hover your mouse over the link and generally you will be able to view the destination. If you don’t recognize the site, then don’t click!

- Dan

Take another look at that title and read the article…

How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did

How do you suppose this happened? No, not the pregnancy. How did Target know?

This is a result of simple data analysis of purchases by individual shoppers. It reminds me of a college database class from 25 years ago. The professor was trying to help us understand that unimportant bits of information stored in one database can be matched with unimportant bits of information from other databases, resulting in some important conclusions.

Every time we use a credit card at a store, or get the affinity shopper discount, the retailer collects information about our individual habits. By pooling what is known from many, the trends for an individual might be inferred. That is what is described in the article.

I’m not trying to spread fear. We all just need to be aware of what is happening and how it affects our privacy.

Did you catch that bit about how coupons can reveal what the retailer knows about you? How about the part where they try to mask their knowledge by including mis-information in the sets of coupons?

Will this affect how you shop?

- Dan

If you’re looking for a way to improve your organization’s information security, I’ve got one recommendation: remember the basics.

Penetration testing is cool. You get to play with tools like Metasploit and BackTrack. You might even download and fire up SamuraiWTF. Figuring out the best way to get into the network or web application is a challenge.

But…

We occasionally need to return to our roots and examine how we are handling the Security 101 functions. These are the basics of good operational information security.

What are the Security 101 functions? Here is a list to get things started…

–> Are you testing and installing patches in a timely manner?

–> Do you know what authorized equipment is on your network?

–> Do you know what unauthorized equipment is on your network?

–> When was the last time you tested your backups?

–> What would you do if a tornado hit your facility?

–> Are you aware of what traffic is on your networks?

–> Do you have policy governing Internet activity or social networking?

–> Do you know the last time your network was compromised?

–> Do you have a firewall with a regularly reviewed ruleset?

–> Are you accepting credit cards? Do you have a good understanding of your PCI DSS scope?

–> What confidential information from your company is exposed on the Internet? How do you know?

We will be looking at some information security basics over the next several weeks. The focus will be on application to SMB and educational organizations.

What topics would you like to see covered?

- Dan

I was recently engaged to help remediate some exposures found during the preparation for PCI DSS compliance reporting. They had run an external vulnerability scan with Nessus so that they could find exposures and fix them before the “official” scan was run.

Several vulnerabilities were found that would have caused the organization to fail their external vulnerability scan. Many of the vulnerabilities were due to an open port on the server. Several cross-site scripting vulnerabilities were found. Sample code from one of the installed applications was publicly accessible.

As we were working through these issues, a common theme came up.

How do we fix Issue X so that we pass the scan?

Now think about that a minute… Approaching the vulnerabilities with this attitude is kind of like fixing a flat tire with Fix-A-Flat. It may work, but you should still have the tire looked at by a professional.

Here’s a specific example from the vulnerability scan. Port 8080 was publicly available on the web server. Several vulnerabilities were found on 8080. It was suggested that we just block 8080 at the firewall. Sure that would work to keep the problems from being found in the external vulnerability scan. But is that the right fix? No.

The right fix was to harden the server by shutting down any unneeded services and to block an unneeded ports on the firewall and uninstall the sample code from the server and institute change control on servers and firewalls and ……

My final recommendation? Take steps to think beyond compliance requirements. Checkboxes and automated scans are helpful, but nothing replaces good analysis and testing. Meeting compliance requirements is a good starting point, but don’t omit really knowing the risks your organization faces.

- Dan

In addition to taking the GSE lab exam at Network Security 2011, I also enrolled to take the Web Application Penetration Testing and Ethical Hacking course. It was a 6 day course taught by Kevin Johnson. Some portions were taught by Justin Searle. They are both great instructors.

My overall impression of the 6 days of this course is very positive. Kevin is an engaging instructor, who uses real-world examples to drive home important points. Like the rest of us, he sometimes veers off on tangents. I found these tangents entertaining!

What’s the most significant thing I learned from taking this course? First off, I came away with an awareness of some of the things that I still do not know. Second, I have a much better understanding of what good practice is when developing a web application. Third, I now know enough to be dangerous with testing, and I need to actually start using what I’ve learned.

Ok, so that was 3 things that I learned!

Here is a brief overview of what the course covered:

• The course starts at the beginning with a review of some basic web application and penetrating testing concepts.
• The next day walks through gathering information about the organization and application (recon and mapping).
• The third day covers discovering vulnerabilities and weaknesses in the application (server-side discovery).
• Day 4 addresses vulnerabilities and weaknesses in the client-side piece of the application.
• Day 5 is where exploitation of the previously discovered vulnerabilities is taught.
• Finally, Day 6 is the culmination of the learning with a Capture The Flag exercise. This was done in an isolated network environment where we had to discover and exploit vulnerabilities in some common web applications. The goal was to find certain specific pieces of information – the “Flags”.

I highly recommend this course for anyone needing a better understanding of web applications and how to find vulnerabilities in them. Much of the class is spent learning how to use automated tools such as proxies, scripting, and injection/cross-site attacks. it is very hands-on.

Beyond just the technical aspects of the course, there are always people who enhance the learning. I found the folks sitting around me to be valuable contributors to my learning. Asking questions and working together to find answers is very beneficial. Thanks Kevin, Tim, Justin, Brian, Patrick, Craig, Richard and others.

Go to the conference. Take the class. You will enjoy it.

- Dan

Taking the GSE

One of the primary reasons that I went to Las Vegas for NS2011 was to take the GIAC GSE hands-on lab exam. A huge motivation for me is that I hold several certifications, all of which need to be re-certified every 4 years. Holding the GSE would mean only having to re-certify one.

As of the time of writing this entry, I do not know whether I passed or not. If not, then I am hoping to be in Orlando in spring of 2012 to do a re-take.

Earning the GSE requires both a written exam and a hands-on lab exam. I passed the written exam in late summer. That qualified me to sit for the lab exam.

———–

There were 11 of us who took the lab exam. It was quite a mix of folks. My brother and I both sat for the exam. Most of us were from the U.S., but there was also representation from Egypt, Australia and New Zealand. I really believe the most enjoyable part was getting to know some of the other test-takers.

I really cannot share much about the lab exam itself. We were required to agree not to share details. The GIAC GSE webpage does give a pretty decent high-level listing of what you need to know and be able to practice.

How did I feel about the exam? It was tough. I choked on some things that should have been very simple. My time management was terrible. The most difficult part was not knowing exactly what we would be expected to demonstrate.

Yep. I’ll do it again if I didn’t pass. It’s worth the work of preparation and the stress of taking the exam.

- Dan