It is quite apparent that burnout is one of the highest priority risks facing security professionals today, by threat impact, and by threat likelihood. This can be clearly observed on Twitter, and in conversations with professional regardless of company. However, when security professionals talk about mitigating risk in their lives, their threat model rarely includes this high priority risk. Perhaps it’s less fun to grapple with than account takeover, endpoint compromise, or covert operations. Or perhaps we avoid it because unlike these other, more technical threats, we don’t have the tools to combat burnout.
Burnout can be devastating to an individual’s work and personal life. And stress from each can contribute. We only have one supply of wellness to draw upon and so when stress at home adds to stress at work it can catapult us directly into burnout country. But sadly stress is unavoidable, so what can we do to mitigate the risk of burnout in the face of that stress.
Perhaps the most important thing we can do to prevent burnout is to notice the signs early, and know what contributes to it in our lives. It’s much easier to prevent burnout before you’re in the thick of it. When you feel a rising sense anxiety, depression, or hopelessness; it’s time to stop and ask yourself, “What’s contributing to this? What are the largest sources of stress in my life right now?”
Find someone to talk to about these feelings and about this stress. If possible visit a licensed psychologist, they can dramatically improve your overall quality of life.
The book Peak Performance: Elevate Your Game, Avoid Burnout, and Thrive with the New Science of Success (Stalberg, Magness, 2017) explains that peak performance can be achieved and burnout avoided, not through the elimination of stress (we need stress to grow) but through creating a regular cycle of stress and rest.
This means that understanding how you best rest is critical for not only avoiding burnout, but for achieving you most.
I read Peak Performance on Audible it was easy to follow and the narration was great. Sign up with the link above to start your free Audible Plus trial.
I recently looked at four different aspects of the security posture of a number of US banks. I’d like to explain in detail what these security controls are and why they’re important. In this post I’ll explain what two factor authentication is and why you should be using it everywhere you can.
To start off, I’d like to define authentication. Authentication is the process by which one proves that they are who they say they are. In the case of most internet sites this is done with a username and password. I tell the site who I claim to be with my username, and prove it by providing something that only I would know: my password. That’s one factor authentication. Continue reading Two Factor Authentication – Bank Security Explained (1 of 4)
I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While I’m sure I could find clean compliance based audits for each of these banks, I would prefer to take a different, more open approach. For this exercise let’s just look at email and web site security.
My research methodology (inspired by Mark Stanislav’s MASSACRE talk) is broken down into four steps. Each step will be awarded a letter grade. At the end an average for each bank will be determined.
Continue reading Reviewing US Banks’ Web and Email Security
Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on Apache Tomcat, which leaves a system administrator little room for configuration of these features. Enter HAProxy. Continue reading Raise your MASSACRE Score with HAProxy
HTTP offers several headers that can help protect website visitors. OWASP has a great description of them here. Based on that I’d like to quickly share a few configuration changes I make to Apache web servers.
Continue reading HTTP Security Headers in Apache
We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy for the front-end so we could switch back-end services seamlessly. Continue reading Using HAProxy with CAS
With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool.
Looking at an Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported. Continue reading Tomcat SSL Tips
Digital storage of electronic protected health information is a treacherous path for a small company to walk. The health insurance portability and accountability act enforces a number of requirements on the security controls required for the storage of such sensitive data. Unfortunately, the language used in not crystal clear, and I have been able to find no description of actual technical systems used to comply with these controls.
These controls are required in order to ensure the confidentiality, integrity, and availability of all electronic protected health information [that a] covered entity creates, receives, maintains, or transmits 45 CFR § 164.306(a)(1).
I will outline these requirements here. In a future post I will explain the technical systems I propose implementing in order to comply with these requirements in a low-cost manner. Continue reading ePHI Storage Compliance
Earlier this week content distribution provider CloudFlare announced that they would be providing free SSL certificates for all of their accounts, both paid and free. Continue reading Free SSL Certs for Everyone
I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.
Download the latest Java 7 JDK RPM, in my case 7u67, and install it. Continue reading Duo Security and CAS