LoriHomsher.com

Home

Information Security

Open Source

Project Management

Podcasts & Blogs

Book Reviews

Newsletters

Manage IT Blog

Technology, Security, & Business Solutions with Integrity

Take a SANS class
Take a SANS class
GIAC Security Leadership GOLD
Security Leadership GOLD
GIAC Security Essentials GOLD
Security Essentials GOLD

At this time, my Information Security roles include:

  • SANS Instructor
  • GIAC Gold Advisor
  • Occassional Course Revisions to SANS Security Leadership (GSLC) course
  • Hands-On Security Responsibilities at Work
  • Creator of Linux Security Checklist

Information Security projects I've completed in the past include:

  • ipchains/iptables firewall:  Back in 2000, all SANS students had to complete a practical assignment (similar to a research paper) before earning their GIAC certification. For my first practical, I documented our upgrade from an Ascend router (it allowed only 20 inbound filters) to an ipchains firewall. Of course, shortly after putting it into production, iptables came out and I had to upgrade from ipchains to iptables. This is the ONLY time in my years as an open-source user that I had trouble finding an open-source tool to meet my needs. I tried a couple of conversion tools, but the iptables script they created was squirrely. I eventually wrote the iptables stuff from scratch. The firewall went on to live a long and prosperous life at the company.
  • Intrusion Detection Systems: I use the old standby Snort, another open-source tool. Their site says they are "the de facto standard", which is true. At one time, I could write snort rules in my sleep. Thankfully, this is no longer the case, but I still receive alerts whenever anything unusual happens on the network and I'm able to read and deal with them, no problem. Snort can also be configured as an IPS (Intrusion Prevention System) and the SourceFire IPS is based on Snort technology.
  • Vulnerability and port scans: On a regular basis, I run a complete vulnerability assessment for my company. I use nmap for the port scan and Nessus for the vulnerability scan. For wireless scans, kitsmet is good, but you'll need a Linux box to use it. It also works as a wireless IDS. To evaluate our web servers, I use Wikto and good-ol' Google.
  • Security Policy: I've used many policies from the SANS policy web site as starting points when developing our corporate security policies. This site is a great tool for companies who need to develop new policy and have nothing to start with.
  • Incident Handling and other tools: Since I work for a SMB (small-medium sized business), we do not have a separate incident handling staff. When unknown problems arise, I am often the one called on to figure out what is happening. Tools used for this type of work include:
    • tcpdump to capture packets on a particular host. Great for troubleshooting network or web app problems on a single host. It runs on any OS, but the output is not pretty. I normally redirect the output to a file (use the -w option) and then pull it into wireshark for more detailed analysis.
    • wireshark I like to use this tool to evaluate the data captured with tcpdump. It will also perform packet captures directly and can be used to capture wireless traffic. Keep in mind -- on a switched network you'll only see your own device traffic and broadcasts, unless you do some special configs to see all traffic.
    • tcpview is a nice little tool that can be helpful when trying to determine what type of malware has infected your father-in-law's home computer. I've had this tool in my toolkit for years.
    • sysinternals is a collection of tools that is currently available from Microsoft.
    • nmap is a MUST for any network admin and security professional. It is a port scanner plus a whole lot more.
    • BiDiBlah and Cain & Abel are used by security professionals everywhere. These are serious tools for pen testing. Cain & Abel also does password assessment. In the past, I've used LC4, but it's in a state of flux and last I checked it costs about $650.
  • Risk Assessments: In addition to all of the geek stuff, I've also done complete risk assessments. I've used various methods and have tried a couple of tools. In the past, Microsoft had an asset-oriented spreadsheet tool that walked you through the risk assessment process. After updating the business impact and risk factors of each major asset, it calculated the high risk areas. I liked this tool because it forced you to really understand the details. The tool has been replaced by MSAT (Microsoft Security Assessment Tool), which isn't as detailed. However, MSAT does provide some high-level guidance if you are just starting out in this area. I've also used a format defined by one of my GIAC Gold students. Another good source is NIST documents -- they have quite a bit of information available for Risk Assessments. Here is a link to the NIST pubs in the 800 series: http://csrc.nist.gov/publications/nistpubs/ Their pub 800-26 is titled "Security Self-Assessment Guide for Information Technology Systems"

Web Hosting powered by Network Solutions®