IT Trenches


March 30, 2010  12:20 PM

Infosec Awareness Training – Phish or no-Phish



Posted by: Troy Tate
infosec, infosec awareness, phishing, security education, social engineering, ssl certificates

In every employee meeting where I have an opportunity to speak about information security, I bring up the topic of phishing. Phishing is one of the biggest threats in information security today. Social engineering seems to be more prevalent, and harder to detect, than ever and we all have to be vigilant to protect ourselves and others. I say protecting others – by this I am referring to those social engineering attacks which result in a system getting compromised with a bot that then attacks other systems.

However, I digress from the purpose of this posting. I was recently made aware of a good phishing awareness education website. Even though the website is an advertisement by Verisign, it still has a good message for the general consumer and computer user population. The website presents 5 good websites and 5 phishing websites. The visitor is requested to decide which is the real website and which is the phishing website. It’s not easy to determine in some cases. In fact, the phishing websites get “better” as you go through the quiz. The quiz runs a second time though the 5 websites using Verisign “Extended Validation SSL” certificates on the good sites. TIP: watch for the green address bar. I would recommend that you take a few minutes, run through this quiz yourself and see how you do. Share the quiz with co-workers and family members. Visit Verisign’s Phish or No-Phish quiz and see how you do.

Folks, phishing is a real threat. The “bad” websites are getting “better” every day. Education, awareness and attention to detail may be the only way you prevent being directly affected by this threat. Thanks for reading & let’s continue to be good network citizens!

March 29, 2010  2:14 PM

Wireshark Book – Coffee & a Quickie



Posted by: Troy Tate
ethereal, Laura Chappell, network, network analysis, packet analysis, packet capture, protocol analysis, technology reference, wireshark

Laura Chappell, my favorite Bitgirl, has released a new book about the Wireshark packet capture and analysis tool. My book is on it’s way. I can’t wait to dive right in and learn some new tricks. However, in the meantime, you and I can both get a coffee and a quickie look at the new book and some features inside. Check it out. There are six quick videos of about 15 minutes or less that barely touch what you can do with Wireshark guided by Laura’s book. Grab a cup of java and enjoy!

Thanks for reading – and a tip of the hat to Laura – “enjoy life a bit at a time”.


March 26, 2010  2:20 PM

Microsoft releases the Microsoft Volume Licensing Reference Guide



Posted by: Troy Tate
Microsoft, Microsoft licensing, Microsoft Volume Licensing, software assurance, software licensing

Software licensing is one of the most complex activities that an IT person has to deal with, especially Microsoft licensing. Microsoft has released a Volume Licensing Reference Guide. This guide is intended to help organization understand the various Microsoft volume licensing programs available. This guide has the following table of contents:

  • Chapter 1: Introduction to Volume Licensing
  • Chapter 2: Choosing a Volume Licensing Program for Your Organization
  • Chapter 3: Choosing a Volume Licensing Program for Your Government Organization
  • Chapter 4: Choosing a Volume Licensing Program for Your Charitable Organization
  • Chapter 5: Choosing a Volume Licensing Program for Your School or University
  • Chapter 6: Microsoft Volume Licensing Programs for Software and Service Partners
  • Chapter 7: Using Products Licensed Through a Microsoft Volume Licensing Program
  • Chapter 8: Microsoft Software Assurance for Volume Licensing

If you have ever had any questions about Microsoft volume licensing programs, and most of us have at one point or other in our careers, then this is a good place to start. I’m sure that somewhere in this 65 page document you will find a nugget of useful information.

Thanks for reading & let’s continue to be good network citizens!


March 21, 2010  4:42 PM

Book Review: CISSP Video Mentor by Shon Harris



Posted by: Troy Tate
asymmetric encryption, CISSP, education, encryption, ip-sec, ipsec, OSI model, PKI, Shon Harris, technology training, training, video learning

Shon Harris is a well known author of information security training materials. She is the owner and president of Logical Security. I recently had the opportunity to go through her CISSP Video Mentor course presented by Pearson Learning. This product can be found on Amazon for a price of $53.55 at the time of this writing. It can also be found on InformIT for the much higher price or $76.50. If you are a socially conscious buyer and want to promote world literacy, then consider buying this product and any future book purchases at BetterWorldBooks. BetterWorldBooks has this selection for $56.98. The product is actually a DVD with an 80 page book (of which only 43 pages are content and the remainder are blank pages for notes).

Continued »


March 17, 2010  8:59 PM

National Research Council Announces Cyberdeterrence Scholarship



Posted by: Troy Tate
cyberattack, cybersecurity, cyberterrorism, cyberthreats, information security, infosec awareness, risk, risk management, security awareness, threat

This is a very interesting call for papers (CFP). The questions of interest section raises some significant security concerns. Maybe you watched some of the US national cybersecurity drill in February. If not, check out my previous blog posting Dept of Homeland Security announces National Cybersecurity Awareness Campaign Challenge. So, if that got your attention, maybe you can understand the risks and threats presented by the questions of interest section below. If you enter, good luck in the competition. If you do enter, share with other ITKE readers information about what you researched and some of your findings.

NRC Prize for Cyberdeterrence Scholarship

Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Policy and Global Affairs National Research Council

March 11, 2010

In a world of increasing dependence on information technology, the prevention of cyberattacks on a nation’s important computer and communications systems and networks is a problem that looms large. Given the demonstrated limitations of passive cybersecurity defense measures (that is, measures taken unilaterally by an organization to increase the resistance of an information technology system or network to attack), it is natural to consider the possibility that deterrence might play a useful role in preventing cyberattacks against the United States and its vital interests.

At the request of the Office of the Director of National Intelligence, the National Research Council (NRC) is undertaking a project entitled “Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy.” The project is aimed at fostering a broad, multidisciplinary examination of strategies for deterring cyberattacks on the United States and the possible utility of these strategies for the U.S. government.  As part of this project, the responsible committee is issuing a call for papers that address questions relevant to this broad topic. Continued »


March 17, 2010  5:09 PM

Google Apps Status Dashboard available



Posted by: Troy Tate
gmail, Google, Google Apps, Google Groups, Google Talk, Postini, service reporting, sla, sla management

Google has an Apps Status Dashboard website where users of Google Apps such as Google Mail, Google Talk and even Postini services can see current service status. This replaces the previous dashboards or stoplight service reporting function for these services. You can even subscribe to an RSS feed for tracking service status. Check it out. Scroll back through older status reports and see what services had issues and when they were resolved. It might help you in making a decision about how reliable Google apps are for your organization.

Thanks for reading & let’s continue to be good network citizens.


March 12, 2010  4:47 PM

Dept of Homeland Security announces National Cybersecurity Awareness Campaign Challenge



Posted by: Troy Tate
crisis management, cybersecurity, Department of Homeland Security, dhs, education, information security, information security awareness, risk management, security awareness, training

Maybe you heard about the cybersecurity drill ran last month by the Department of Homeland Security. If not, check out this CNN news story. Then watch the very interesting videos of the drill itself.

[kml_flashembed movie="http://www.youtube.com/v/u4MDjcpPfvE" width="425" height="350" wmode="transparent" /]

Now DHS has announced a National Cybersecurity Awareness Campaign Challenge.This is a solicitation for ideas from individuals and organizations about how DHS best can clearly and comprehensively discuss cybersecurity with the American public. DHS is asking for proposals to be submitted by April 30, 2010 in Word format. The winners of the challenge will be invited to a special event in Washington, DC in May or June. DHS will partner with the winners during the launch of a National Cybersecurity Awareness Campaign in October during National Cybersecurity Awareness month.

It will be interesting to see what comes from this campaign. I am always looking for better ways of communicating and measuring risk and information security.

Thanks for reading & let’s continue to be good network citizens.


March 4, 2010  7:29 PM

Verizon releases security incident metrics framework – VerIS



Posted by: Troy Tate
framework, information management, information security, infosec, lessons learned, Metrics, risk management, security metrics, threat mitigation, vulnerability management

Last month Verizon released a publicly available version of the Verizon Incident Sharing (VerIS) framework. This metrics framework is a very easy read and should be of interest to both information security professionals and IT managers. It is intended to help an organization understand the impact of a security incident based on some specific categories. VerIS defines four metrics categories as follows.

  • Demographics – This section describes (but does not identify) the entity affected by the incident. The primary purpose is to aid comparisons between departments within a single organization or among different organizations participating in an information exchange. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.
  • Incident classification – This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VerIS employs the A4 Threat Model developed by Verizon’s Risk Intelligence team. In the A4 model, a threat scenario or actual security incident is viewed as a series of events that adversely affects the information assets of an organization.
  • Discovery and mitigation – This section focuses on events immediately following the incident and the lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify necessary corrective actions that need to take place to prevent similar incidents in the future.
  • Impact classification – One of the more important pieces of incident information is the impact an incident has on the organization. Unfortunately the true impact of an incident can be difficult to measure, as it is rarely possible to observe all negative aspects of an incident simply by focusing on cost accounting. The VerIS categories of breach impact metrics are designed to help the security professional understand what causes the organization to feel impact (types of impact), so that the organization that they serve can be better prepared to anticipate and contain future losses.

I think that the discovery and mitigation category shown above is one of the most challenging to follow through. How do you keep lessons-learned fresh? What processes do you put into place to detect weaknesses and mitigate threats? Verizon has also opened an online forum for discussion on the VerIS framework. Word needs to get out to the infosec community about this framework and its possible application to an organization. I plan on taking some of the suggestions and improving the security incident handling process at my organization. Share with me and other ITKE readers what you think is right or wrong with this framework or what framework you currently use for your organization.

Thanks for reading and let’s continue to be good network citizens!


February 18, 2010  8:04 PM

Microsoft Security Bulletins for the Regular IT Guy



Posted by: Troy Tate
Microsoft, Microsoft security bulletins, podcast, risk management, security bulletin

If your eyes glazed over during the February monthly Microsoft security bulletin webcast, consider checking out this Technet Edge podcast website.The presenters attempt to describe the updates in non-technical language, what they resolve, and why you should care. In this February edition, the guys are sitting in a Starbucks talking Microsoft monthly updates.

You can also listen to podcasts about previous month’s bulletins. This is another good resource to add to your library for managing the risks of Microsoft systems.

Enjoy and raise a caramel mocha latte for me!

Thanks for reading & let’s continue to be good network citizens.


February 18, 2010  7:36 PM

Free Excel Templates for IT Professionals



Posted by: Troy Tate
Excel template, gantt chart, IT risk assessment, log management, maturity model, Microsoft Excel, project management, risk assessment, risk management, risks, template

I just came across an excellent resource for Microsoft Excel templates that are useful to IT professionals. The files can be found on the Excellence In Financial Management website.

Some of the useful ones that I have now downloaded to my spreadsheet library includes:

Template for assessing risk of Information Technology

Gantt chart for project management with work plan This is the template I was actually searching for since I didn’t really want to use Microsoft Project to build a quick chart. This met my needs and a sample chart looks something like below.

Project management templates (charter, budget, risk register, issues log, etc.)

Project management toolkit

Maturity model for evaluating different segments of IT infrastructure

There are many more on this excellent website. You might also be interested in checking out some of the other management topic links.

What tools did you find useful on this website?

Thanks for reading & let’s continue to be good network citizens!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: