excel

The difference between a vulnerability scanner and a SIEM

Dave Farquhar security , , , ,

I heard an interesting question the other day: What’s the difference between a vulnerability scanner and a SIEM? Qualys and Nessus are examples of vulnerability scanners. Arcsight and Splunk are examples of SIEMs.

To a security practitioner, the tools couldn’t be much more different, but not everyone is a security practitioner.

On a basic, fundamental level, a vulnerability scanner deals in what’s missing in the environment and what could happen as a result of those things that are missing. A SIEM deals in what actually has happened and is happening.

Read more

Dual screen Citrix, or dual monitor Citrix

Dave Farquhar Software , ,
Dual screen Citrix, or dual monitor Citrix

At my current and immediately previous job, we made heavy use of Citrix. Citrix makes remote access and administration really convenient. But you don’t get dual screen Citrix by default, and that’s a shame.

Read more

The workstation events you want to be logging in Splunk

Dave Farquhar security , , , , ,

Every once in a while the NSA or another government agency releases a whitepaper with a lot of really good security advice. This paper on spotting adversaries with Windows event logs is a fantastic example. It’s vendor-neutral, just talking about Windows logs and how to set up event forwarding, so you can use the advice with any log aggregation system or SEIM. I just happen to use and recommend Splunk. But whatever you use, these are the workstation events you want to be logging.

I want to call your attention to a couple of items in the paper. Most breaches begin on workstations, and this paper has the cure.

Read more

How to keep Excel from dropping zeroes after the decimal point

Dave Farquhar Office, Software , ,

At work part of my job is reporting security metrics along with my colleague, and sometimes we report things like the number of machines running a specific operating system. The problem we run into is that when it comes to operating system versions, OS X versions 10.1 and 10.10 are really not the same. We run into similar issues with versioning for other operating systems too, such as AIX.

To keep Excel from dropping those significant zeroes on your charts, highlight the column containing your version data and switch it from a numeric format to text format. Then switch to the tab that contains your chart, refresh the data, and your charts will show the zeroes properly.

The missing Lenovo Thinkpad scroll lock key

Dave Farquhar Hardware , , ,
The missing Lenovo Thinkpad scroll lock key

One of my coworkers accidentally enabled scroll lock on a Lenovo Thinkpad L440 the other day, which is bad news when you do it accidentally and can’t find the missing Thinkpad scroll lock key. Read more

Google’s migrating corporate apps to the cloud is less crazy than it sounds

Dave Farquhar security , , , ,

Google is moving its corporate applications to the Internet. A year ago I would have said that’s the dumbest thing I ever heard. Today I’m not so sure.

Sticking stuff in the cloud is the popular answer to everything these days, and I just see the cloud as the new mainframe. It’s not a solution so much as a different take on the same problem, and while I see a couple of potential disadvantages, believe it or not I see some real advantages to the approach as well.

Read more

Don’t e-mail yourself a list of all your passwords and bank account numbers to yourself from work

Dave Farquhar security, War Stories , , , , , , ,

So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.

Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.

Read more

How to become an Info Assurance Analyst

Dave Farquhar security , , , , , , , , , , , ,

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me. Read more

What is Winshock?

Dave Farquhar security, Windows , , , , , , , , , , , , , , ,

So the other day I got blindsided with a question at work: What are we doing about Winshock. Winshock, I asked? I had to go look it up, and I found that’s what they dubbed what I’ve been calling MS14-066, the vulnerability in Schannel, which is Microsoft’s implementation of SSL/TLS for Windows.

Based on that, I’d argue it has more in common with Heartbleed than Shellshock, but I guess “Winshock” is catchier than “Winbleed.”

Then the lead of another team asked me to brief his team on Winshock. I actually managed to anticipate all but three of the questions they asked, too, which was better than I expected. Some of what I shared with them is probably worth sharing further.

Read more

Computer, how old are you?

Dave Farquhar Windows , , ,

Yesterday I wrote about finding old computers. Here’s how I determine how old a computer is.

There’s a registry key called HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate that stores the system build time in Unix format (the number of seconds since 1 January 1970) and hexadecimal. With a few mad skilz you can make that data human-readable.

Read more