Type your search keyword, and press enter

Cloud Security Guidance

This post is a summary of the guidance provided in version 3 of the Cloud Security Alliance document Security Guidance for Critical Areas of Focus in Cloud Computing v3.0.  The CSA guidance remains one of the best around providing actionable security guidance for businesses adopting a multi-tenant cloud service environment.

Overall document summary:

  1. The Cloud Security guidance document is organized into 14 domains.
  2. The 14 cloud security domains are Cloud Architecture, Governance and Enterprise Risk Management, Legal: Contracts and Electronic Discovery, Compliance and Audit, Information Management and Data Security, Portability and Interoperability, Traditional Security, Business Continuity and Disaster Recovery, Data Center Operations, Incident Response, Notification and Remediation, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization, and Security as a Service
  3. The different cloud deployment models are: private, public, community, or hybrid models
  4. Assets that need security in the cloud fall in two categories: Data or Applications/functions/processes. Parts or all assets can move to the cloud or live in your own data center.
  5. Hosting options could include internal (on-premise), external (dedicated or shared cloud infrastucture), or combined (e.g. data can live on-prem while application can move to the cloud).
  6. Assess the CIA (Confidentiality, Integrity, Availability) requirements for the asset and how the risk varies if part or the entire asset moves to the cloud.
  7. In summary, know the assets moving to the cloud, determine your risk tolerance, and figure out the acceptable cloud deployment and service models
    Continue reading… “Cloud Security Guidance”

Good List of Open Source Security Projects

This is a compilation of some excellent open source security projects.  I will continue to update this page. Insert in comments below if you have any good reference projects or open source security tools. I am excluding the obvious ones like Metasploit and Bro for example, in this list.

Platform / Host Security

OSQuery from Facebook

Reference Link: https://osquery.io/

Github linkhttps://github.com/facebook/osquery

Commercial Comparison: The commercial equivalent functionality is with Tanium.

Description: osquery gives you the ability to query and log things like running processes, logged in users, password changes, usb devices, firewall exceptions, listening ports, and more. It allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance

Speaking at Black Hat USA 2015

Very excited to announce my selection and participation in Black Hat USA 2015 being held in Las Vegas this year. My talk is titled ‘Securing Your Big Data Environment’. Come join me in the South Seas CDF room in Mandalay Bay between 16:20 – 17:10 hours.

Link to Black Hat: https://www.blackhat.com/us-15/briefings.html#securing-your-big-data-environment

Ajit Gaddam Black Hat Speaker

Summary of the talk: Hadoop and big data are no longer buzz words in large enterprises. Whether for the correct reasons or not, enterprise data warehouses are moving to Hadoop and along with it come petabytes of data. How do you ensure big data in Hadoop does not become a big problem or a big target. Vendors pitch their technologies as the magical silver bullet. However, did you realize that some controls are dependent on how many maps are available in the production cluster. What about the structure of the data being loaded? How much overhead does decryption operation add? If tokenizing data, how do you distinguish between in and original production data? However, in certain ways, Hadoop and big data represent a greenfield opportunity for security practitioners. It provides a chance to get ahead of the curve, test and deploy your tools, processes, patterns, and techniques before big data becomes a big problem.

Come join this session, where we walk through control frameworks we built and what we discovered, reinvented, polished, and developed to support data security, compliance, cryptographic protection, and effective risk management for sensitive data.

Indicators of Compromise List and Recommended Security Measures

Unlike loss of a physical device, if an attacker breaks into your corporate network, you still have your data after they steal it. It is more important that ever to detect if your company has been broken into by a hacker. This article identifies a number of indicators of compromise activity on a corporate network. It is not an exhaustive list and I will keep adding to this list along with any recommended security measures you can take to detect and prevent activity that could lead to a compromise of your network by attackers.

Logging: When you log, you can detect and identify any unusual activity on your network and on the end points.

  • Look for logfile line count and log file line length. Have an average baseline of our log file size at a minimum and then trigger alerts when the log size increases or even worse decrease of events that day.
  • Look for spikes in traffic types (e.g. SSH, FTP, DNS) and baseline the number of events including bandwidth usage
  • Look for country of origin of IP connection (or by protocol)


  • Scan for the software/tools listed in “List of Publicly Available Tools used for Attacks” below. These include scanning for non-malicious network utilities like SysInternals and PsTools that are not rated as malicious by AV and others, but good tools for use by an attacker.
  • Scan for RDP Sessions in HKCV\Software\Microsoft\Windows\Shell\BagMRU and related keys
  • Scan for remote access services – VNC, RDP
  • Scan for remote access ports (TCP 3389, RDP or VNC)
  • Scan for batch files and scripts
  • Scan for multiple archive files – ZIPs and RARs including encrypted compressed files
  • Scan for rar/zip file compression in page files and unallocated spaces
  • Scan for programs run in the AppCompatCache
  • Scan for sysadmin tools executed such as tlist.exe, local.exe, kill.exe
  • Scan for files in the root of C:\RECYCLER
  • Scan for anomalies like abnormal source location or logon time (for example after say 7pm EST) and other time-of-use rules and baselines