Author: Brian A. McHenry

Denial of service attacks are so common now that “DoS attack” hardly needs explanation, even to the lay person. The phrase “DoS attack” instantly conjures images of banking sites that refuse to load, and gaming consoles unable to connect. The other instant reaction is to think of the attackers such as Anonymous, the Qassam Cyber Fighters, or the Lizard Squad. However, not all denial-of-service is the product of a coordinated attack. Many forms of DoS are organic by-products of completely normal traffic. So-called “normal traffic” includes everything from legitimate customers, business partners, search-index bots,data-mining scraper-bots, and other more malicious automated…

The exasperating attempt to bring seemingly uncontrollable and chaotic forces into step with one another is often referred to as “herding cats.” Examples range from chaperoning kindergarteners on a museum field trip to managing rock star developers on a software project. In today’s “HTTPS Everywhere” world, enterprise key and certificate management (EKCM) can also seem like an exercise in herding cats. However, with the explosion of SSL/TLS usage, high profile Certificate Authority (CA) compromises, and ever-evolving malware, an effective EKCM program has never been more vital to ensuring strong security. Mismanagement of keys and certificates can impact security in a…

Predictions for the coming new year always abound. While no one has a crystal ball, I have the benefit of talking to a lot of security teams. Last year around this time, I held forth that HTTP/2 and TLS 1.3 would be disrupting the Internet in 2015. While HTTP/2 adoption is only now starting to really pick up speed, and we’re still awaiting a new version of TLS, the all-HTTPS Internet is unquestionably on its way. While intelligence agencies speculate upon the impact of criminals and terrorists encrypting their communications, the all-HTTPS Internet is already impacting most of us in…

The Domain Name System, or DNS, is arguably the most important system on the Internet. Without it, we’d all have to memorize IP addresses the way we once did the phone numbers of our friends and family by heart. Actually, in the case of IP addresses, we’d probably just not use the Internet, at all, since even the web applications we use rely on DNS to call services and content from other addressable locations on the Internet. As security or IT practitioners, we spend a lot of time securing and ensuring the availability of applications. However, none of them would…

Threat modeling is vital to any security practice. For example, we can understand the OWASP top 10 vulnerabilities, but we can easily misspend our efforts and dollars defending against exploits of vulnerabilities not present in our web applications. Managing the epidemic of bot traffic can be just as daunting, when considering how such traffic affects our threat models. The term “bot” or “botnet” is thrown around a lot. Why is bot detection so valuable to your security posture, if the typical botnet isn’t a significant part of your threat model? Bots cover large classes of fully-automated scans and attacks, and…

Smartphones are powerful devices, and a constant reminder that we are “living in the future.” We can take high-resolution photos, edit those photos, and upload them to the Internet in less time than it takes to order a cup of coffee. We can track our activity, our calorie intake, and our workouts. We can even get a ton of work done without ever opening a laptop or sitting down at a desk. All with a device that fits in the palm of the hand. However, as with any complex device or system, vulnerabilities and the potential for bad guys to…

Web application security is hard to implement and harder still to maintain. The application layer is also the top attack vector for data loss, via such well-known vulnerabilities as SQL injection. Needless to say, we infosec practitioners are always looking for an application security “easy button.” Part of the solution is staring us right in the eyes, yet we have been slow to leverage HTTP response headers. With that in mind, the revelations of Scott Helme’s recent survey of the top one million web sites came as a huge shock. Security-centric HTTP response headers are relatively easy to insert and…

Spending on cyber security solutions is exploding. Security startups like Crowd Strike are attracting investment funding to the tune of $100M, and enterprises are hiring security engineers as quickly as they can find them. Unfortunately, unlike with online shopping where there’s a deal site or coupon code just waiting to be used, there’s no coupon code for getting the most out of our efforts to improve security. Instead of wishing for a coupon code, the key is to focus on reducing the risk of a successful denial-of-service (DoS) attack, or worse, a data breach. While every organization is different, with…

While the debate rages on whether SSL everywhere is necessary and/or good for the Internet, the number of sites and services supporting SSL and TLS encryption continues to soar. The focus of the SSL Everywhere debate has centered on typical browser-based web applications and mobile apps, but the Internet of Things (IoT) is also increasingly encrypting communications by default. IoT devices and services aren’t confined to smart thermostats and other home automation gadgets. In the enterprise, copier/printers, security sensors, and the variety of gadgets employees bring to the office are just a few examples of how the IoT trend is…

Attending conferences and trade shows is a luxury many of us cannot afford, both from the time and expense perspectives. Compounding that fact is that many of the larger events have devolved into long-form vendor showcases, more closely resembling the International Auto Show than the educational and invigorating experiences they purport to be. These mega events are also very costly, due to travel costs and skyrocketing price of admission in the thousands of dollars. Fortunately, many local events have sprung up for the security professional, such as local OWASP and ISSA chapter meetings, Security BSides, and many others. The cost…