Finding the Sweet Spot for Effective Security Monitoring
Log monitoring should be a foundational piece of any organization's security program. Regardless of whether the monitoring is completed by a Managed Security Services Provider (MSSP) or an in-house security information event management (SIEM) tool, key details about the activity occurring on the network and in key systems and applications should be captured and analyzed for security incidents, operational issues and regulatory compliance. If configured correctly, these device and application logs can provide great insight into the activity occurring on the network, legitimate or otherwise. However, the first step toward understanding the bad things that occur is to make sure you can understand the good things that are happening, and what is happening in general.
One of the most challenging steps for setting up a robust monitoring program is to determine what and how much to... read more >
In my last post called, "iOS Security: Unpacking Applications," I mentioned how easy it was to get into the binary of an iOS application. In this post, we will see that it is just as easy with an Android application.
Similar to iOS applications, Android applications are compressed into a zip-like file with the extension .apk. The process for unzipping an application file is essentially the same, minus the decryption step.
First, create a folder to store the decompressed files.
Change directories into the newly created folder.
Unzip the ApplicationName.apk file.
Once unzipped, the contents of the newly created folder should resemble the following:
The... read more >
Something Old, Something New
The Solutionary Security Engineering Research Team (SERT) has released its Q2 2014 Quarterly Threat Intelligence Report. SERT has identified both old and new trends and information during research efforts this past quarter. For instance, it may not surprise anyone to know that the United States dominated malware hosting countries, but it is new that this included 56% of the malware identified by the SERT honeynet (that’s up from 44% since Q4, 2013).
There were some changes in the top 10 hosting countries, but United States sites still rules this particular category. It may surprise you; however, to hear that Amazon hosted 41% of the malware SERT identified during the quarter (that’s an increase of over 2.5 times the 16% found in Q3, 2013). We had hoped that hosting providers would take action to reduce the number of “hostile” sites, yet it appears that attackers are flocking to Amazon hosted services because of the ease with which the new sites can be provisioned, and up and running in a few moments. By contrast, GoDaddy dropped... read more >
More and more organizations are moving to the “CLOUD." It seems as though you can't read an article about IT or turn on the TV without seeing someting about the increasingly ubiquitous cloud. Of course, the cloud is more than just an IT buzzword, it's an increasingly important part of IT that requires organizations to consider the security implications of "moving to the cloud."
Moving to the cloud can benefit a lot of organizations. However, you need to know how to keep things secure while you migrate to such an environment. The term cloud is frequently thrown around in discussions; but in reality, a lot of IT professionals do not really know all the downsides of cloud migration, and security issues are often overlooked.
I keep reading and hearing statements like, “The cloud is so much easier to manage and makes your information more secure." These types of blanket statements are just not... read more >
12 Log Data Sources for Incident Response
When the Solutionary Security Engineering Research Team (SERT) gets involved in a critical incident response, it’s fairly common for the organization we’re helping not to have centralized logging in place. It’s also common to conduct response efforts in network areas that have little logging or visibility.
These are significant and yet common challenges, and have a negative impact on anyone’s ability to piece together what happened. That does not mean, however, that we cannot do any incident research. It’s not ideal, but a partial picture can be created given enough data from a wide range of sources.
There’s also a common misconception that the logs needed for continuous security... read more >
Is it really as bad as it sounds?
Run and hide! Another hacktivist operation has started! At least, that is how the attackers would like you to feel. Personally, I don’t think that is ever an effective solution. So, what's happening this week?
The Tunisian Hackers Team (THT) is directing a new operation, titled with a fear inducing hashtag, #TheWeekOfHorror. This operation started in the usual manner, with a... read more >
In my blog titled the "Top 5 iOS Development Security Tips," I mentioned the importance of obfuscating mobile application source code.
In this post, I am going to demonstrate the ease with which iOS applications can be decrypted and reverse engineered, allowing access to the classes used within the application. Before we begin, let us review the structure of an iOS application.
Once compiled, each iOS application is compressed into a zip-like file with the extension .ipa. I want to emphasize "zip-like" because that holds the key to starting the process. Once the iOS application is installed, the installation process unpacks the .ipa file and stores the application files in a folder named "ApplicationName.app." Within this folder lies the actual binary named "ApplicationName."
This binary is what we want. We start by decrypting the binary.
In order to successfully decrypt the... read more >