Tuesday, 10 November 2015

Security tunnel vision – Mobile devices and VPN

Over the last few years of my career, like so many people I have experienced “Security tunnel vision”.  Security tunnel vision is when we as security professionals get fixated on only one aspect of security and forgot the overall landscape of the organization.

An example of this would be mobile devices, such has smart phones and tablets accessing corporate resources.  There is a certain fear among some security professionals that these devices are not secure enough to access corporate resources using technology’s such as VPN etc.   These professionals are fixated on the point that these devices can be jailbroken, users can download malicious apps; they have entered the state of security tunnel vision. 

They have lost sight that users were already using mobile devices such as laptops to access corporate networks using approved methods.  The solution is not to ban mobile devices from using proven technologies such as VPN, but to put mitigation controls in place.  Banning mobile devices from corporate access will not drastically improve the security landscape for their organizations if VPN is already being leveraged for a mobile workforce using laptops, it will only inconvenience the business and stop productivity. 

As security professionals it is important to create policies and standards that protect a company holistically.  If the corporate policy approves technologies like VPN, then devices should be allowed to use that technology as long as criteria security has indicated are met. 

In this case, a mobile device management solution, mature governance on which applications are to be allowed, a policy on BYOD, and polices and standards on mobile devices should be leveraged and established. 

Monday, 29 December 2014

CISSP Lessons learned

When I was getting ready to start studying for the CISSP exam, I was told by others the exam is a mile long and an inch deep. Now after taking and passing the exam, I can verify the assumption personally. Initially I was overwhelmed with how much information one was expected to learn "remember", but as I began to study I realized one important element; understand concepts and the rest will work out, which held true for me during the exam.

In today's age one can’t be required to remember everything; there is so much information that most of us can’t physically do it, other then what we do on a regular basis as it is reinforced by repetition. What are easier to remember and comprehend are concepts, for example how PKI works, or what’s the purpose of a DMZ, or how a firewall works.  Understanding the concept of public key cryptology is more beneficial then knowing that RSA has so many bits; a person can just do a quick look up for the bit size of RSA.  The reason is that on the CISSP exam they don’t go into great detail but ask questions at a bird’s eye view.  In my opinion CISSP is not a technical certification, but a certification that has a broad body of knowledge that helps pull everything together.

So what do you need to pass the Exam?

1.      Experience, The CISSP exam really does leverage a person’s experience and being exposed to multiple technologies and methodologies etc.  This will be your greatest asset. 

2.      A good study guide, Experience is good, but not all people have worked in all the domains for the CISSP exam.  I used the CISSP for Dummies and Shon Harris Book; it provided information on areas I was weak in and helped reinforce sections that I was already strong in.

3.      A testing tool, ISC2 has a testing engine as well as others like CCCURE.  This was immensely helpful, as it helped identify areas where I was weak and needed more work.

4.      Stamina, the CISSP exam is an endurance tests, read all the questions very carefully, don’t rush you have 6 hours, and most likely you won’t use all 6 hours.

In closing writing the CISSP exam was an overall positive experience for me, I have joined an amazing security community, I have been able to put my technical experience to the test, and I have found out I really do love the security field in IT.

Received my CISSP

On December 23rd, 2014 I received my official notification that I am now CISSP certified. In light of this fact, I will now be changing this blog to focus more on Security.

Thursday, 19 July 2012

Import users form a CSV file to Distribution Group

I have been getting asked lately on how to due bulk user imports into Exchange for various tasks.

The below example will use the user Alias field to add users to a Distribution group.  You can use this method to do other things like make new mailboxes and such.  All you need to do is change the command.  the CSV file should be comma delineated and the first line should say alias since that is what I am using.

Also note I used the alias field you can also use email addresses etc.

Import-CSV c:\users.csv | ForEach {Add-DistributionGroupMember -Identity "DL Name" -Member $_.alias}

Monday, 16 July 2012

How to get members of a Dynamic Distribution Group in Exchange 2010

Sometimes, we are asked to send a report off which members are in a DL.  If the DL is Dynamic this can be tricky.

    $1 = Get-DynamicDistributionGroup "groupname"
    Get-Recipient -resultsize unlimited -RecipientPreviewFilter $1.recipientfilter -OrganizationalUnit $1.organizatunit

 The above commands will get the list of members.  What I did was make a variable of $1 for the dynamic DL.  This saved me typing time when I ran the command to get the members.

Friday, 18 May 2012

Test SMTP through Telnet

Sometimes you need a tool to verify if SMTP is enabled and if it is able to relay messages.  Telnet is great for that.  Also Putty is a great Telnet client.

Below are the steps to send a mail using telnet or Putty.

You do/type this Server responds with
Telnet to hostname on port 25 220 (then identifies itself - possibly with several lines of 220 + text)
HELO your_domain_name or whatever 250 (followed by human readable message)
MAIL FROM:you@hostname.com (ie, your email address) 250 is syntactically correct (or similar)
RCPT TO:them@someplace_else.com (email address you want to send to) 250 is syntactically correct
DATA Tells you to send data then CRLF period CRLF at end
You type your message then CRLF period CRLF (ie, type a period on a line by itself then hit ENTER) 250
QUIT Signoff message

Thursday, 17 May 2012

Installing a SSL Certificate in Exchange 2010

To import a SSL Certificate use the below command

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\CERTNAME.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

To enable a service on the cert, make sure you get the thumbprint of the cert which you can get by using the following command Get-exchangecertificate |fl  and then use the below command to assign a certificate.

Enable-ExchangeCertificate -Thumbprint E8C1BB735FA57C4E70988420CE247263AD92DC65 -Services "iis,imap,pop"

If you do SSL offloading then make sure you use the DoNotRequireSSL tag after the command look below for example

Enable-ExchangeCertificate -Thumbprint E8C1BB735FA57C4E70988420CE247263AD92DC65 -Services "iis,imap,pop" -DoNotRequireSsl