|Timestamp||Topic Title||Describe the topic||To what GIAC certification(s) does the topic apply?||approved||inprogress|
|10/10/2013 6:40:20||Enterprise Key Management Best Practices||Organizations are expected to manage valuable key material for business critical applications on a daily basis. This paper would outline the basics of enterprise key management, provide a broad overview of what commercial and open source solutions exist, and provide a framework/best practices that can be used to manage and implement such solutions.||GSNA|
|11/1/2013 16:21:50||Is Cyber Risk Insurance Worth it||Insurance companies start offering insurance for cyber security related incidents. What should one consider before signing up for insurance like this? When is it good to have?|
1) Does your org have enough cash to self insure, that can be the best choice financially
2) If not, the premium and the level of coverage are rational
3) Carefullly read the policy to see any exceptions or limitations
|12/2/2013 10:32:03||Datavisualization in Network Forensics|
|12/6/2013 7:21:46||Equitable Forensics in a Global Environment||NOTE: THIS IS IN PREPARATION FOR GCFA RENEWAL IN 2014|
My GCFA renewal is late 2014. I wish to assure I have approval prior to any effort on this topic.
The following is the planned abstract.
Successful multi-national corporation forensics is more than acquisition, data discovery and presentation to the target audience. It is a balancing act of corporate expectations, legal constraints and assuring investigation due care. Most corporate forensic investigations are not criminal misconduct. The investigation focus is tort or corporate misconduct. The investigator faces management restraints, legal constraint and urgency for discovery completion.
The mature multi-national forensic investigation will utilize documented good security practice and incident flow. The mature investigation will require access to legal resources assuring investigations will not violate local law. The corporate investigator may have hurdles such as no direct physical access or presence. Use of third party on-site investigators may be required. Clear qualitative forensic analysis will always be more valuable than quantitative analysis. Positive proof in country A may not be considered conclusive in country B.
|1/28/2014 7:03:03||managing skills for auditing networks||Planned Abstract:|
The reasons why professionals enter the IT audit field vary widely. With the tremendous growth of technology, many auditors see IT audit as a way to set them apart from their peers.
At a particular advantage are individuals who already have extensive IT experience and wish to capitalize on this knowledge in the audit field. Prentice believes that it is easier to teach an IT person audit skills than for an auditor to learn IT skills from scratch. Regardless of what causes a professional to enter the field, he or she should have certain characteristics important to a successful IT audit career.
|2/1/2014 6:25:46||Managing an application security team, the challenge of the numbers||Most of the application security specialists today have something in common : there moved their career from development to security. And even in 2014, the number of them making the move is still not common.|
70% of the vulnerabilities are from the applications, but the number of university and colleges teaching secure development is still very low.
Then the challenge become clear : limited number of application security specialist on one side, and an army of non trained developers one the other side.
I will explain challenges related to humans, the management, growing the practices, managing multiple disciplines, training our people, open source, etc. So you will get a 360 degrees view on how our team, in a large financial institution, were able to make a difference. Making sure security is taking care at the beginning of the project is even more important when each vulnerabilities cost ~20k once in production.
My paper will talk about ISO 27034, training, awareness, secure code review, penetration testing and scanning, open source, and also hardware hacking.
|4/9/2014 15:59:08||Sandboxing and APT||There is a hype on APT protection now in the market, and most of control that run towards the attack talking about sandboxing technology. But the fact is in cyber kill chain, there are many ways APT can be detected and can be protected. The question now where does sandboxing technology can be use, and how effective does this sandboxing technology be implement to protect against APT and what kind of other technology can be used to protect environment from APT.||GSEC|
|5/7/2014 0:43:35||Auditing using Vulnerability tools to identify today’s threats Business Performance||Using a variety of data sources, including vulnerabilities tools, prioritizes the risk mitigation resources while lowering the overall risk status. This is critical for reducing any open gaps and ensuring that business analytics are balanced. Vulnerabilities tools enable to quickly score, organize, and combine hundreds of thousands of vulnerabilities and emphasize the critical few risks.||GLSC|
|10/9/2014 6:43:56||A practical approach to application security monitoring||The goal of the paper is to describe a project approach or methodology on how to setup application security monitoring for an application/information system. I would like to structure the approach in the following phases:|
1) information inventory of the application: where you assess which information you want to protect/monitor. You'll also map
2) Scoping the monitored security events or application events you would like to include. I'm having the idea to actually include a toolkit in the paper in the form of an Excel spreadsheet which people could use to guide them in the process of building a monitoring initiative.
3) Offer an overview of standard application security metrics/indicators which are used to measure the health status of your application and shows the actual risks in the system.
4) Build the monitoring initiative.
5) Maintain the monitoring initiative.
|10/19/2014 11:51:54||How will Mobile Forensics look in the future?||Mobile Forensics has long been the exploitation and analysis of data mainly retrieved from a forensically acquired image of the mobile device. With the advancements of technology and the growing increase for Secure personal data, are the Device manufacturers pushing the forensics world into exploiting other aspects of the phone i.e the cloud (Google, ICloud), 3rd party applications or the phone backups. |
I will explore the way manufacturers have moved to encrypting devices by default, how applications are potentially the new risk of mobile devices and also how the introduction of paired devices will introduce an opportunity for forensic investigators to alleviate additional devices that are directly linked to the original evidential device.
|7/27/2016 5:00:56||Deploying a Netflow Architecture Using Silk||A useful paper would be a readable, clear deployment guidance document on building out a Netflow arcthitecture using Silk. They do have a guide but it is tough to follow.||GCIA|
|4/5/2017 14:34:48||Artificial Intelligence and Law Enforcement||After the 9/11 terrorist attacks against the United States, the law enforcement and intelligence communities began efforts to combine their talents and information gathering assets to create an efficient method for sharing data. The central focus of these cooperative efforts for sharing information was state fusion centers, tasked with collecting data from several database sources and distributing that information to various agencies. This vast amount of intelligence data eventually overwhelmed the investigative organizations. The use of Artificial Intelligence (AI) to parse data and extract patterns of behavior that can create actionable intelligence for the recipient agencies is a technology that is desperately needed in order to shape the methodology of critical data sharing for crime and terrorism prevention. AI can analyze threat data and historical information and then create attack hypotheses for predicting when and where crimes will be committed. Statistical and tactical analysis of criminal and terrorist patterns of behavior by AI’s intelligent software agents can provide economical operations and resource management. By predicting the most logical locations for criminal activity, equipment and personnel can be directed to those areas to prevent those events from occurring. Financial resources must be allocated to allow for the development of these applications and for the exhaustive study of test results to ensure the accuracy and efficacy of AI’s machine-learning techniques for increasing the crime fighting options available to law enforcement and the intelligence communities.|
|9/11/2017 12:13:36||Secure that flow||Flow Computers, the front line cash register for the commodity world. Energy assets are operationally controlled by an ICS (Industrial Control System), often the afterthought, bolt on FC (Flow Computer) are sloughed off as someone else's problem and mostly forgotten in the security planning process. Flow Computers monitor and totalize the product transfer between two companies' and can vary from tens of thousands to millions of dollars of custody transfer a day. These little forgotten about electronic devices, if compromised could shift energy commodity markets globally.||GICSP|
|3/8/2018 10:12:19||Pen testing and automated adversarial planning||Utilizing the pen test framework and newer deployed automated adversarial programs develop a plan for pen testing systems based on these new techniques and how they apply across enterprises. Look at specific info gathering tools, change management to update the automation and passive/active gathering to update attacks, also apply MITRE ATT&CK framework to such a tool.||GPEN|
|3/23/2018 9:40:11||Best Practices user Terraform for AWS Infrastructure as Code||The idea with this Gold paper is to discuss best practices in using Terraform to write infrastructure as code for the AWS Cloud Environment and building a simple cloud resource, protecting the source code, following change controls and code review and using automation to update the code and apply. This could even split into a few topic white paper series.||GCED|
|5/15/2018 20:06:35||Real Time Phish Brand Detection||This paper will discuss methodology, tools and techniques being used to detect phish brands by ingesting 3rd party sources and also in addition to that it will collect whole lot of information which will be beneficial in threat hunting e.g (looking for ip addresses hosting multiple phishing campaigns, look for html comments, taking md5 hash for page etc.) using elastic search capabilities.||GCIH|
|7/18/2018 4:46:46||Enterprise-wide Network Monitoring with ROCK NSM||Network attacks have been increasing in number and complexity over the last few years. Network monitoring tools and NIDS/NIPS systems have evolved to protect organizations against new attack types and campaigns. As such, these solutions are commonly listed in the Preparation phase of many Incident Response (IR) playbooks. However, as of 2018, a limited number of solutions offer an all-in-one solution that allows companies to have a single point of control over their network.|
Response Operation Collection Kit Network Security Monitoring (ROCK NSM) platform encompasses the capabilities of both network monitors (Bro) and NIDS/NIPS (Suricata/Snort) to provide organizations with an all-in-one, plug-and-play network monitoring and prevention solution.
The purpose of this paper is to provide a comprehensive view on how organizations can benefit from ROCK NSM features by describing how it can be deployed and tuned for enterprise use with the idea of making ROCK NSM enterprise ready. We will describe how the different components can be configured, how they interact with each other and how their output can be integrated with existing SIEM solutions.
Further information about ROCK NSM to be found here: http://rocknsm.io/
|2/22/2019 12:40:51||To SIEM or not to SIEM||Exporting open source and third party options for a SIEM.||SEC555|
|5/19/2019 11:13:07||International Law Applicable to the IDF's Physical Attack on Hamas Cyber HQ||On May 5, 2019, approximately 600 rockets from Islamic Jihad and Hamas had been fired into Israel over a period of about 36 hours. According to the Israeli Defence Forces (IDF), Hamas attempted a cyber offensive against Israeli targets; after the defensive operation, IDF targeted Hamas cyber headquarters. Was the IDF's physical attack in retaliation to a cyberattack consistent with applicable international laws?||GLEG|
|11/7/2019 2:10:29||Detection and Slow down any Ransomware like activities using “File Honeypot”||Ransomware attack is common nowadays and the attack surface is large in any organization that almost there has no way to prevent or avoid. As a result, a proper way to detect any ransomware-like activities is necessary to safeguard the files especially on shared directories or folders to minimize the impact in case other security controls, like backup & restore, endpoint detection, sandboxing are all failed.|
Considering not every organization can have the budget for very sophisticated solution, a layman way is designed and making use the free version SIEM for this purpose. Splunk Enterprise will be used in this case but other SIEM or logging mechanism with simple analysis solution should able to produce similar result. The core idea is not only on how to make use the tool’s existing function to achieve the detection, but also a demonstration of the security analysis on the problem and cater the various variety of different possible variant or mutation of cybersecurity attacks which could result the similar activities on the system.
|2/20/2020 8:31:45||5G Service Based Interfaces||This gold paper would detail the concerns around 3GPP 5G technology, and its introduction of services based interfaces to allow virtual network functions to communicate. The paper would serve as an introduction to topics such as threat modelling the 5G core, mobile edge compute and handling of web APIs on the control plane, (both network element and network element management domain), user plane and signalling plane.||GWAPT|
|3/4/2020 7:59:55||BYOD||The Consumerisation of IT discusses the embracing of consumer (privately-owned) technologies, either hardware and/or software, in a corporate context. One of its most disruptive trends is known as Bring Your Own Device (BYOD) and has been researched more heavily in recent years with notable beneficial effects. For this reason, we intend to analyse the BYOD trend, its benefits and challenges to both employer and employee from a Risk Management perspective.||GSEC|
|8/19/2020 9:41:52||Proper Acquisition of Docker Containers||Acquisitioning the Docker container in Windows host in a light and proper way (maybe using KAPE tool) rather than imaging the whole host|
a container could have external volumes attached to it that it could be SAN or NAS and we could also have depth our research a bit to cover every implementation of Docker in windows (Docker Desktop in Linux Hyper-V, Windows containers and Docker over WSL2)
|8/21/2020 23:29:57||Proper acquisition of Docker containers in Windows||Acquisitioning Docker container in Windows specifically in an efficient way and not relying on full image of the host. It is a bit challenging task.|
As if Docker Desktop installed it can run using virtualized Linux or on Windows or via WSL2
and there various volume mounting ways that need to be tackled
And we may discuss also Windows server powershell Docker container deployment
My initial idea is to use something like KAPE and add a target and model for Dockers