My Security Planet » Items by Michael Gorsuch

Feeds

13620 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by Michael Gorsuch

Michael on Security - Musings on Information Security

• 

  Google Helps Me Get Answers From Experts Exchange

  Posted: August 28th, 2008, 12:45pm CDT by Michael Gorsuch

  Tags:  you.porn   [edit]

  update: it appears that Experts Exchange will usually show you the answers at the bottom if the referrer was Google.  If you just copy and paste the url into your browser, the answers will not be there.  Strangeness. Talk about a sensational headline, right? But it is true, all thanks to this nice forum [...]
• 

  Spammers Have Resorted to Kidnapping My Baby

  Posted: August 26th, 2008, 6:16am CDT by Michael Gorsuch

  Tags:    [edit]

  My morning inbox contained an email with the following subject: “We have hijacked your baby”.   The body is as so: Hey We have hijacked your baby but you must pay once to us $50 000. The details we will send later… We has attached photo of your fume     And of course, a zip file was attached [...]
• 

  The Wonders of Social Engineering

  Posted: August 23rd, 2008, 8:04pm CDT by Michael Gorsuch

  Tags:    [edit]

  It has been a while.  I’ve been busy, you’ve been busy.  You’ve called me, and all you got was my answering machine.  It is hard to put out good material while working and trying to spend time with your family.  I also adopted a pair of kittens that do their damnedest to keep my hands [...]
• 

  Put Your Document Library Together!

  Posted: February 12th, 2008, 5:51pm CST by Michael Gorsuch

  Tags:    [edit]

  If your IT operations team does not have a document library, I suggest you create one right now.  As mentioned earlier, it defines everything you do and takes very little investment to get started.  Install a wiki, make sure it is being backed up, and you are ready to start. So how do you organize everything? I’m [...]
• 

  Patch Tuesday Fun

  Posted: February 8th, 2008, 2:32pm CST by Michael Gorsuch

  Tags:    [edit]

  Microsoft has provided a preview for their patch release next week.  I counted a total of 9 remote exploitation vulnerabilities, so start making your plans.  Remember, if you don’t have one already, it is time to write up a patch deployment policy.  Early on, the goal is to be consistent so that you can start [...]
• 

  The Nicest Things…

  Posted: February 6th, 2008, 8:37pm CST by Michael Gorsuch

  Tags:    [edit]

  …are emails like this one: Hi, I look after about a dozen Unix boxes (mainly Fedora Linux, but also Solaris, HP-UX and Digital Unix). I came to the conclusion after reading your article that I need to formalize updates and document everything on the wiki a bit more comprehensively. I also came to the conclusion that anytime I update any [...]
• 

  A Statement of Purpose

  Posted: February 6th, 2008, 8:31pm CST by Michael Gorsuch

  Tags:    [edit]

  Wanting to do things right around here, I have decided to summarize why I started this weblog and what I really want it to become. I have run a number of sites in the past, but have had a very hard time keeping them on track. This one is different, as the domain [...]
• 

  Authenticating Against Active Directory With Python

  Posted: February 4th, 2008, 2:50pm CST by Michael Gorsuch

  Tags:    [edit]

  I’m a proponent of centralized authentication mechanisms, as the complexity of managing the password database for each system can be overwhelming. A lot of organizations are already using Microsoft’s Active Directory product, and it has proven to be rather easy to perform simple authentication against. I’m posting this here because it is [...]
• 

  Relocated to Wordpress.com

  Posted: February 3rd, 2008, 7:49pm CST by Michael Gorsuch

  Tags:    [edit]

  If you are seeing this, then things are working correctly. I have moved this site over to WordPress.com. More details can be found here. You can expect a new article in a couple of days!
• 

  Change Management: The First Step to Securing Your Environment

  Posted: January 25th, 2008, 1:50pm CST by Michael Gorsuch

  Tags:    [edit]

  [editorial note: this article is part of a series that I am drafting to ultimately be included in a small guide to effective information security. I do not consider my views to be the final word, and am therefore soliciting feedback from anyone who has an opinion on my approach. You may either [...]
• 

  Change Management: The First Step to Securing Your Environment

  Posted: January 25th, 2008, 2:16am CST by Michael Gorsuch

  Tags:    [edit]

  [editorial note: this article is part of a series that I am drafting to ultimately be included in a small guide to effective information security. I do not consider my views to be the final word, and am therefore soliciting feedback from anyone who has an opinion on my approach. You may either use the comment form below, or contact me directly here. Thanks!]

  In a previous post, I argued that information security is much more effective when approached as a management methodology rather than as a technological fix. It has to be incorporated in your operational framework to be effective. I outlined the four steps of a basic Systems Management Cycle:

  • You must write down your intentions (policy)
  • You must document the procedures you use to manifest those intentions
  • You must regularly audit your environment to make sure that you are actually doing as you say
  • You must improve

  The next step is one of genesis. Where do you begin? Assuming that you are not building a company from scratch, you're probably in a pretty active environment. Technologies are already in place, projects are being executed, and your support queue is well worn.

  In that situation, I suggest that one shouldn't go running around trying to figure out what they need to document. That's a brute force method that guarantees an anxiety attack. Instead, you can coax most of these undocumented goblins out of hiding by instituting one of the most powerful controls that I've ever witnessed: change management.

  Quickly: What is Change Management?

  Change management forces people to state their intentions before acting. Rather than walking up to a production server and installing new software, the sysadmin must fill out a quick form explaining the who, what, when, where and how of his actions.

  A policy such as this makes day to day action in your environment transparent. As a manger, you see what your team is doing and you can therefore make better decisions. You can see where improvement needs to be made, and it can act as a set of breaks to put a stop to things before serious mistakes are made.

  This is your core policy. You'll write it down and spread the word. Rather than talk in vague terms about a theoretical document, I'm going to take you through the steps of making one. By the end of the article, you should be on track.

  Real Steps to Making it Happen

  Before anything else, you're going to need a place to store your documents. I prefer to use a wiki, as they stay out of your way. If you don't already have one in play, I recommend FogBugz On Demand [see disclaimer]. It's just a few clicks to get going, you get a 45 day free trial, and it includes a really nice wiki along with a full blown project management suite. As always, though, choose the solution that meets your needs.

  Once you have procured a document library for your team, create a section called 'Policies and Procedures'. Within that, write your first policy called 'Change Management Policy'. Follow my example here and tailor to your needs.

  I prefer to keep my first versions very simple. Notice that I only ask for one business day notice for a standard change and consider all requests approved by default. In more mature organizations, this will be at least 5 business days and include a formal change management meeting prior to any approval - but you have to start somewhere. Remember, you want to lead your organization out of the wilderness without declaring marshal law. Let everyone acclimate to recording their changes first, as you will gain immensely from that.

  As soon as you have it written, send it out there! Let your team know that you're working to improve things, and that this is where you will start. There might be some resistance from some members, particularly those that have never been introduced to this methodology before. It's ok. Reinforce that you are only asking people to state their plan of action before acting. If yours is like any organization I've ever worked in, you can probably find a nice list of past mistakes that could have been avoided if this simple rule had been followed.

  Reaping the Benefits

  Your team is now making and recording changes about various systems, some of which you may not have even known to have existed before! Since your policy is requiring that sysadmins create documentation for each task, your library of procedures is actually growing, and everyone is really thinking through their work. When you see planned changes fail, you are able to analyze them better and improve.

  As time goes on, your change management policy will mature. You may create a change control board consisting of the key stakeholders in your organization and hold weekly review meetings to approve or deny changes. Full approval from your QA department may be a requirement before any change can be implemented. You'll have to evolve this policy to best fit your organization.

  From the standpoint of a security-minded individual, I don't see what could be better than starting here. Systems availability is a key term on the CIA Triad, and this paves the path. All change requests can be scrutinized to ensure that best practices are being followed and audits can be scheduled to ensure that new holes were not created by these changes.

  Best of luck!

  
• 

  Now with OpenID Support

  Posted: January 23rd, 2008, 6:49am CST by Michael Gorsuch

  Tags:    [edit]

  
  I have enabled OpenID support thanks to this great Drupal module. Now all of you cool kids with your Yahoo!, Wordpress.com, or LiveJournal accounts can just hop in without having to create yet another username and password.

  
• 

  Security as a Process, Not as a Technology

  Posted: January 21st, 2008, 7:23pm CST by Michael Gorsuch

  Tags:    [edit]

  The Problem and the Perceived Fix

  About eight years ago, I worked as a sysadmin for a major telecommunications company in the Midwest. It was good for me. I was a senior admin on a very small team, and we had to be quick in order to keep up with the day-to-day troubles. I had my hands in everything, and it seemed like I was learning a new platform, app, or networking technology every week. Not only learning about it, but having to take ownership of it! Needless to say, I felt like quite the hotshot.

  Then the virus came.

  I don't recall what it was that hit us, but it was one of the more prominent bugs that was making a lot of noise in the papers and on the 24-hour news stations. It turns out that there were a few workstations on the network that didn't have anti-virus installed, creating an excellent point of entry. Shit. We pushed our preferred av client and updated to the latest definitions. After further investigation, I found out that our base workstation image didn't include the antiviris client, and that it was up to the desktop tech to remember to install it. I worked with our desktop guys to build a new image that included the antivirus client so no one had to worry about remembering.

  Approximately four months later, it happened again.

  It wasn't the same piece of malware, and it didn't do anything other than replicate itself, but still - we were hit again. The cause: one of the junior guys installed a series of servers in the data center, and he forgot to install anti-virus. Damn it. Rinse and repeat.

  The Real Fix

  The pattern should be obvious now: in each case, we chose the appropriate technological response and nothing ever got better. It doesn't do any good to purchase anti-virus software if you aren't going to ensure its proper deployment. Then you have to ensure that it stays deployed on existing systems, and is installed on new builds. If you're wondering what piece of system management software you can use to make this happen, you're falling into the same hole as I did. Probably a more expensive one, too ;-)

  Had I just written a procedure for each of these actions that included the step to install and verify the antivirus software, all would have been well. It took me a long time to learn that simple lesson.

  It's easy to 'fix' your security problems with technology. It is also quite reactionary, and usually doesn't cover things the way you initially expect.

  The real solution is one of policy and procedure:

  • You must write down your intentions
  • You must document the procedures you use to manifest those intentions
  • You must regularly audit your environment to make sure that you are actually doing as you say
  • You must improve

  This solution is a process that you repeat over and over. You must be consistent. If you aren't thinking like this on a regular basis, your environment will suffer. When you install a piece of software, you expect it to follow a series of predetermined steps. You don't expect your SMTP server to do whatever it pleases, do you? No. You must act in the same fashion.

  When I began following this process several years ago, I saw results. Sure, problems came about, but I'd simply change my policies to adapt so I didn't get bit next time. I made it a part of my regular routine to question every step I made. Before I'd install a new piece of software, I'd check for a document explaining the installation procedure. If it didn't exist, I would create it.

  I truly believe that this is the core of a solid security methodology. Start following it before you spend a dime on anything else. Get your staff on board.

  I'll be posting more about the individual steps of this process in the near future.

  
• 

  An Introduction

  Posted: January 21st, 2008, 2:54pm CST by Michael Gorsuch

  Tags:    [edit]

  Information Security is a topic that I've always been interested in, and have been studying to various degrees over the past twelve years. I've played many roles, ranging from the over curious teenager, to the sysadmin, to the professional penetration tester. I've made progress and done some good, and have also made plenty of mistakes. Everyday experience shows me that I'll always have to keep learning.

  Michael on Software is a forum for the curious. While I'll be setting the front page topics on a regular basis, you are more than welcome to start your own. All I ask is that you treat each other with courtesy and be open to learning.

  What's in a Name?

  The story behind the name of this site is quite simple. First, I wanted to name this site in such a manner that would force me to keep focus. I have authored a number of blogs over the years, all without a dedicated topic. I want to do something different here. I can't image how I can waver with a name like this.

  Second, I'm a long time reader of Joel Spolsky's Joel on Software. His writing style appeals to me, and I see nothing wrong with the slight imitation that my title implies. It gets right to the point.

  It is also fair to note that I am an employee at Joel's software company, Fog Creek Software. Although I may comment on my experiences there from time to time, I want it to be clear that the words I write here do not necessarily represent the views of my employer. Fair enough?

  How'd You Build this Thing?
  At the time of this post, this site is being powered by Drupal 5.x. I'm using a standard install and am running the following modules:

  • Akismet
  • FeedBurner
  • PathAuto
  • XMLSiteMap

  I'm keeping most of my content in the Forum module, and am promoting the main posts to the front page. This keeps everything in one logical place.

  I've used Drupal for a number of years, and I have always found it more suitable to my needs than the other packages out there. If you haven't considered it before, give it a look over.

  All of my content is hosted at Linode, and my experience with them has been top notch. If you're looking for a dedicated box for about $20 / month, this is the place to go.

  
• 

  Security as a Process, Not as a Technology

  Posted: January 21st, 2008, 1:52pm CST by Michael Gorsuch

  Tags:    [edit]

  The Problem and the Perceived Fix About eight years ago, I worked as a sysadmin for a major telecommunications company in the Midwest. It was good for me. I was a senior admin on a very small team, and we had to be quick in order to keep up with the day-to-day troubles. [...]
• 

  An Introduction

  Posted: January 20th, 2008, 1:54pm CST by Michael Gorsuch

  Tags:    [edit]

  Information Security is a topic that I’ve always been interested in, and have been studying to various degrees over the past twelve years. I’ve played many roles, ranging from the over curious teenager, to the sysadmin, to the professional penetration tester. I’ve made progress and done some good, and have also made plenty [...]
• 

  Staying On Top of Things

  Posted: December 31st, 1969, 11:00pm CST by Michael Gorsuch

  Tags:    [edit]

  Anyone who has ever worked in the world of IT operations knows how hard it is to stay afloat. We are fighting entropy. We have a seemingly never ending todo list and people never stop interrupting. Ever. It’s the nature of this business, and we obviously like to hurt… err… like [...]