Why runtime application self-protection is critical for next gen security

raspToday most of us go about implementing security from the outside in. The common practice to define and then defend a perimeter isn’t viable any longer. With the added complexities of more mobile endpoints, agile development and more sophisticated malware, better protective methods are needed.

In this whitepaper for Vasco (the link to my paper is on the right-hand menu), I describe a method that is gaining traction by defending the actual apps themselves using runtime self-protection. RASP, as it is called, comes from a Gartner 2012 report, but is catching on with several vendors, including Arxan Technologies, HPE App Defender, Immun.io, Lookout App Security/Bluebox, Prevoty, Vasco Digipass for Apps, Veracode and Waratek.

RASP can be a solid defense and a way to isolate and neutralize a potential threat, so you can operate your business safely in these uncertain environments.



iBoss blog: Who are the bug bounty hunters?

Bug bounties have become more popular, but that isn’t surprising given they have been around for more than a generation. The first bug bounty hunting program originated with computer science professor Don Knuth decades ago. It was for reporting errors in his classic book series the Art of Computer Programming, and in catching bugs in several of his landmark software applications. Since then, many vendors such as Google and Facebook have been running programs and there are others that handle submissions and payouts, set the rules for participation, and generally keep track of all the administration for the program.

You can read my post on the iBoss blog here. 

Simple steps to harden your SMB network

If you run your own small business network, chances are your security could be better. Consider these two news stories that I posted this week on my Inside Security newsletter:

ITEM #1: A group of hackers shut down the heating system on a block of apartments in Finland last month. The issue was a lack of any firewall protecting the HVAC unit, which was controlled by a computer that had a public IP address. You can bet now they have one to protect their systems.

ITEM #2: An auto dealership CRM used by more than 100 dealers has leaked their customers’ and employees’ data online, mainly because their backups were all unencrypted and accessible to hackers.

I recently spent some time hardening my network doing three simple tasks. All of them can be accomplished in under an hour, if you have some basic knowledge and skills, and if you are careful at following the various instructions and interpreting the results. Nevertheless, it took me a lot longer: either because of my own stupidity or sunspots or whatever.

The three tasks are to harden your WordPress installation, scan your ports, and add a basic level of security to your email domain.

WordPress hardening

There are two basic ways to run a WordPress blog: one is by using your own server and the other is by using the free hosting service and having a server at YourDomain.Wordpress.com. I have used both and get into the pros and cons here in a previous post. Assuming you have control over your own server, there are numerous sites that keep track of WordPress plugins and other vulnerabilities, we will just mention a few here:

  • Securi maintains this site and they recently discuss a DDos attack on v4.5.3 and XSS and SQL injection attacks. It is always a good idea to stay current with WordPress versions.
  • If you want some motivation about making your WP site more secure, you should read these suggestions from WPMUDEV. Some are easy to implement, others will take some time.
  • This site has a description of a few vulnerabilities with detailed information on how they are compromised (they also have a free WP plug-in to protect your site). If you get into tracking vulnerabilities, they also have a bug-bounty program.
  • And Network World has an article that goes into best practices about operating your WP site. You can also review many of these on the WordPress Codex that are more of a general security nature too.
  • Finally, you should download the Wordfence plug-in and use it to protect your server. They also have on their site details about general security topics, including an article about how WP-based botnets get started. Their plug-in is free for basic services, and you can upgrade if you want more. I had some trouble when I first installed the plug-in and got to inadvertently test their support team, which was excellent. When I re-installed it, it worked fine.

Scan your ports

For many years I have been a big fan of Steve Gibson’s Shields Up port scanner. It is well worth using, because it is simple, free, and will take just a moment to look at your network router and see what open ports you have. The big limitation is that it only scans the first 1000 ports: that was fine years ago when the Internet was just a gleam in Al Gore’s eye, but now life has gotten more complex. I would also suggest using BullGuard scanner, which will scan more ports. When I did this on my Uverse-connected network, it found port 7547 open. I hadn’t seen this port before and found this mention on PC World, which has to do with the embedded webserver that is used to manage my Uverse DSL modem. There isn’t much you can do about it, unless you want to switch to a cable ISP connection.

Secure your email server

I have written extensively on using email encryption for your day-to-day emails, but there is another way to approach better email security and that is by adding an automatic digital signature to each outgoing email headers using a protocol called DKIM, which stands for Domain Keys Identified Mail. Most email hosting providers now support this protocol, Google’s help page starts here for their hosting services. DKIM is a lot like the public/private key infrastructure that PGP and others use to encrypt messages. You have your choice of key lengths (choose the longer and more secure 2048-bit keys if your provider supports them).

Google’s help pages are very explicit as to the steps you need to take. You basically need to do three tasks: first, you obtain a key from your email hosting provider. Then, you add a DNS entry for your domain provider (which is my case is my ISP). Then you want to take a few days and check to make sure that you did this correctly, using this verification service.

Good luck with securing your domain and servers. Feel free to share other simple tips here as well.


Security Intelligence: What are the new security features of Windows Server 2016?

Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.

You can read my summary of these and other security features inmy post for IBM’s SecurityIntelligence blog here.

iBoss blog: Why Grammar Counts in Decoding Phished Emails

When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared.

However, the tide may be turning, and finally grammarians might be gaining the upper hand. A new theory is that correct grammar gets better results these days. My blog post for iBoss has the details about how the French are leading the charge.

Speaking gigs as part of cybersecurity awareness month

October is cybersecurity awareness month and I am giving a speech at several locations around town to do my part. The speech draws on several blog posts that I have written recently about the debate between security and privacy, and covers the following topics:


The speech will be given this week at St. Louis’ America’s Center SecureWorld conference and as part of a special month-long series of activities at Fontbonne University, including this St. Louis chapter meeting of ISACA. You can download my presentation here.