Security – Leonard Nelson https://leonelson.com Personal blog of Leonard Nelson talking about technology, education, customer relationship management, customer service and Africa. Sun, 10 Feb 2019 15:19:29 +0000 en-US hourly 1 https://leonelson.com/wp-content/uploads/2006/01/cropped-LeonardNelson-2.0-32x32.jpg Security – Leonard Nelson https://leonelson.com 32 32 CIS Controls Self Assessment Tool https://leonelson.com/2019/02/03/cis-controls-self-assessment-tool/ https://leonelson.com/2019/02/03/cis-controls-self-assessment-tool/#respond Sun, 03 Feb 2019 22:44:08 +0000 http://leonelson.com/?p=3078 The Center for Internet Security has launched the CIS Controls Self-Assessment Tool, or CIS CSAT, to enable organizations to track and prioritize their implementation of the CIS Controls. The tool includes features such as the ability to: Delegate questions to other team members Set deadlines for each CIS Control and sub-control Collect documentation related to…

Continue reading

The post CIS Controls Self Assessment Tool appeared first on Leonard Nelson.

]]>

The Center for Internet Security has launched the CIS Controls Self-Assessment Tool, or CIS CSAT, to enable organizations to track and prioritize their implementation of the CIS Controls. The tool includes features such as the ability to:

  • Delegate questions to other team members
  • Set deadlines for each CIS Control and sub-control
  • Collect documentation related to your findings
  • Capture team discussion about each assessment question

To start with the Self Assessment Tool, visit https://csat.cisecurity.org/

The post CIS Controls Self Assessment Tool appeared first on Leonard Nelson.

]]>
https://leonelson.com/2019/02/03/cis-controls-self-assessment-tool/feed/ 0
Health Industry Cybersecurity Practices https://leonelson.com/2019/01/06/health-industry-cybersecurity-practices/ https://leonelson.com/2019/01/06/health-industry-cybersecurity-practices/#respond Mon, 07 Jan 2019 02:58:07 +0000 http://leonelson.com/?p=3022 Health and Human Services (HHS) released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication that aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. The guide is available at Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.…

Continue reading

The post Health Industry Cybersecurity Practices appeared first on Leonard Nelson.

]]>
Health and Human Services (HHS) released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication that aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. The guide is available at Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.

The guide includes:

The post Health Industry Cybersecurity Practices appeared first on Leonard Nelson.

]]>
https://leonelson.com/2019/01/06/health-industry-cybersecurity-practices/feed/ 0
Build And Run A SOC for Incident Response in Higher Education https://leonelson.com/2018/12/08/build-and-run-a-soc-for-incident-response-in-higher-education/ https://leonelson.com/2018/12/08/build-and-run-a-soc-for-incident-response-in-higher-education/#respond Sat, 08 Dec 2018 15:40:21 +0000 http://leonelson.com/?p=3007 How To Build And Run A SOC for Incident Response – A Collection Of Resources

The post Build And Run A SOC for Incident Response in Higher Education appeared first on Leonard Nelson.

]]>
How To Build And Run A SOC for Incident Response – A Collection Of Resources

The post Build And Run A SOC for Incident Response in Higher Education appeared first on Leonard Nelson.

]]>
https://leonelson.com/2018/12/08/build-and-run-a-soc-for-incident-response-in-higher-education/feed/ 0
Users and Security https://leonelson.com/2018/01/27/users-and-security/ Sat, 27 Jan 2018 18:40:00 +0000 http://leonelson.com/?p=2939 Research from Dartmouth College Computer Science regarding users and security: [quote]In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and improve the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circumvention of the computer-embedded…

Continue reading

The post Users and Security appeared first on Leonard Nelson.

]]>
Research from Dartmouth College Computer Science regarding users and security:

[quote]In real world domains, from healthcare to power to finance, we deploy computer systems intended to streamline and improve the activities of human agents in the corresponding non-cyber worlds. However, talking to actual users (instead of just computer security experts) reveals endemic circumvention of the computer-embedded rules. Good-intentioned users, trying to get their jobs done, systematically work around security and other controls embedded in their IT systems.[/quote]

Source: Mismorphism: a Semiotic Model of Computer Security Circumvention by Sean W. Smith, Ross Koppel, Jim Blythe, Vijay Kothari

The post Users and Security appeared first on Leonard Nelson.

]]>
New NIST Password Guidelines https://leonelson.com/2017/08/10/new-nist-password-guidelines/ Thu, 10 Aug 2017 14:12:41 +0000 http://leonelson.com/?p=3081 The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches. Examples of new guidelines in the Digital Identity…

Continue reading

The post New NIST Password Guidelines appeared first on Leonard Nelson.

]]>
The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches.

Examples of new guidelines in the Digital Identity Guidelines (SP 800-63-3):

  • Length of passwords between 8 – 64 characters are recommended.
  • Character types of nonstandard characters, such as emoticons, are allowed when possible.
  • Long passphrases are encouraged and should not match entries in the prohibited password dictionary
  • Password reset frequency should be primarily triggered on if the password is compromised or forgotten
  • Multifactor Authentication is encouraged in all but the least sensitive applications

Related Links and Additional Reading:

  1. NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk

The post New NIST Password Guidelines appeared first on Leonard Nelson.

]]>
Google Chrome Forensics https://leonelson.com/2017/07/11/google-chrome-forensics/ Tue, 11 Jul 2017 12:19:58 +0000 http://leonelson.com/?p=2883 The Chromensics tool is developed to read all information from chrome browser directory and present it to user, in easy readable tabular format which can be explored in descent interface without running the chrome browser. The tool will also allow you retrieve information from other chrome installation brought from different machine for analyzing. The acquired…

Continue reading

The post Google Chrome Forensics appeared first on Leonard Nelson.

]]>
The Chromensics tool is developed to read all information from chrome browser directory and present it to user, in easy readable tabular format which can be explored in descent interface without running the chrome browser. The tool will also allow you retrieve information from other chrome installation brought from different machine for analyzing. The acquired artifacts can be exported in PDF report to present it in court of law or to superiors.

The post Google Chrome Forensics appeared first on Leonard Nelson.

]]>
The Password Reset MitM Attack https://leonelson.com/2017/07/03/password-reset-mitm-attack/ Mon, 03 Jul 2017 12:53:31 +0000 http://leonelson.com/?p=2872 An interesting approach to a Man-in-the-Middle Attack against a Password Reset System The PRMitM attack exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to…

Continue reading

The post The Password Reset MitM Attack appeared first on Leonard Nelson.

]]>
An interesting approach to a Man-in-the-Middle Attack against a Password Reset System

The PRMitM attack exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it.

Source: The Password Reset MitM Attack

The post The Password Reset MitM Attack appeared first on Leonard Nelson.

]]>
Information Security Primer for Evaluating Software https://leonelson.com/2016/04/08/information-security-primer-for-evaluating-software/ Fri, 08 Apr 2016 11:07:49 +0000 http://www.leonelson.com/?p=2685 Common Sense Graphite is a site by teachers, for teachers that helps you find the best educational technology resources and learn the best practices for implementing them in your classroom. Brought to you by Common Sense Media: Empowering kids to thrive in a world of media and technology. Source: Information Security Primer for Evaluating Educational…

Continue reading

The post Information Security Primer for Evaluating Software appeared first on Leonard Nelson.

]]>

Common Sense Graphite is a site by teachers, for teachers that helps you find the best educational technology resources and learn the best practices for implementing them in your classroom. Brought to you by Common Sense Media: Empowering kids to thrive in a world of media and technology.

Source: Information Security Primer for Evaluating Educational Software

The post Information Security Primer for Evaluating Software appeared first on Leonard Nelson.

]]>
Shodan Search Shortcuts https://leonelson.com/2016/01/25/shodan-shortcuts/ Tue, 26 Jan 2016 03:08:48 +0000 http://www.leonelson.com/?p=2610 Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them. Listed below are some popular search shortcuts/search keywords to help with narrowing your search results: Keyword Values Description Example port Any Numeric Value Specific Ports port:554 has_screenshot True/False Has Screenshot has_screenshot:true org Organization Value…

Continue reading

The post Shodan Search Shortcuts appeared first on Leonard Nelson.

]]>
Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.

Listed below are some popular search shortcuts/search keywords to help with narrowing your search results:

Keyword Values Description Example
port Any Numeric Value Specific Ports port:554
has_screenshot True/False Has Screenshot has_screenshot:true
org Organization Value Organization org:”Microsoft”
ssl Organization Value SSL Certificates for Organizatio ssl:edellroot
ssl:Some University
ssl.version SSL Version Value SSL Version ssl.version:sslv2 -ssl.version:sslv3,tlsv1,tlsv1.1,tlsv1.2
net IP Range IP Range net:18.27.7.0/24, net:18.27.0.0/16

Search Examples

Example Search Query Used For
port:9100 product:”LaserJet” Finding HP LaserJet printers on the network
ssl:edellroot Finding devices with SSL certificates issued by eDellRoot
net:18.27.0.0/16 ssl.version:sslv2 Find hosts supporting SSLv2 in the 18.27.0.0/16 subnet

 

The post Shodan Search Shortcuts appeared first on Leonard Nelson.

]]>
Web Security Fundamentals https://leonelson.com/2015/09/24/web-security-fundamentals/ Thu, 24 Sep 2015 17:44:56 +0000 http://www.leonelson.com/?p=2582 Varonis has published a list of introductory web security videos at Web Security Fundamentals.

The post Web Security Fundamentals appeared first on Leonard Nelson.

]]>
Varonis has published a list of introductory web security videos at Web Security Fundamentals.

The post Web Security Fundamentals appeared first on Leonard Nelson.

]]>