Searching for a needle in a pcap haystack with pyshark
Faced with a bit of a challenge recently: I had a large (multi-megabyte) packet capture file from Wireshark and needed to extract information from the start of each SSL/TLS session in the capture. I could have used a Wireshark display filter to find SSL/TLS packets, but then manually sifting the ... Read More
Searching Logs: A Work In Progress
A while back, I read a blog post at the SANS Internet Storm Center (ISC) handler's diary, "There's Value In Them There Logs" that piqued my interest. I'm well aware that logs are essential for error discovery and diagnosis as well as incident forensic analysis. The systems I build consistently ... Read More
Security by Labels vs. Content
Generally, authorization security (determining whether a subject has access to data) is based on labels. For example, file pathnames determine what directory a file resides under, and accordingly, what discretionary access controls are assigned to the file. Firewalls determine what packets are authorized based on IP addresses and port numbers ... Read More
Web Server Security Checklist
Here is a quick checklist of items I have found to be important in securing and monitoring the security of outward-facing web servers.ArchitectureTypical components surrounding a web server include an external firewall to protect the web server itself from attacks and an internal firewall to protect the internal corporate systems ... Read More
Data Loss Prevention: Technology or Strategy?
As often happens in the computer industry, nomenclature is unwieldy and flexible as technologists, sales & marketing, and the rest of the world clash.My case in point is the phrase "data loss prevention" or DLP. In other articles, I have talked about DLP as a technology -- in that it ... Read More
Changing Face of "Spam" Email
As a network engineer involved in bringing up some of the first Internet connections in the upper midwest in the late 1980s and early 1990s, I also managed email systems in the 1990s as spam email started becoming a nuisance. In the past decade, spam has been more than a ... Read More
Security Technology Musings
Each security technology that comes along has its set of "use cases" -- that is, it improves confidentiality, integrity, or availability for certain uses. Trying to apply that security technology outside of its useful situations results in either a false sense of security or complete failure.For example, full disk encryption is ... Read More
Are Anti-Virus and a Firewall Enough?
I thought after all the commotion from the many significant data breaches of the past several months that data security would be top-of-mind at nearly every company. Perhaps people outside the information security industry have become tired of the breach news, or perhaps the lesson didn't sink in. Maybe more likely is the ... Read More
Web Servers as an Attack Vector
For a long time in computer security, we have been focused on protecting workstations, and rightly so. Viruses, worms, remote access Trojans, and other malware has targeted the end-user workstation, and unfortunately, the attacks continue to be quite successful. A number of recent high-profile data leaks have occurred using workstations ... Read More
Cloud Computing and the Insider Threat
Something that hasn't been top-of-mind for me, but remains a threat nonetheless, is that the scope of the "insider threat" changes when the cloud is used for computing and storage.One of the significant data loss vectors is the "insider threat" where a trusted insider -- either unintentionally or maliciously -- ... Read More
