I often encounter professionals wrestling with the question: “Should I transition into a management role?” Today, I’d like to shed some light on this topic in case you are also wondering if management is for you. Choosing a career path is a deeply personal decision and, while it’s thrilling to consider new possibilities, it can also bring up a lot of uncertainty. My hope is that this post will help you gain clarity and make a decision that feels right for you.

We recently had trouble replacing an older CAS server with a new system. The new server would not forward to the requested service after authenticating and the service could not verify the service ticket. We decided to use HAProxy with CAS for the front-end so we could switch back-end services seamlessly.

We used the following HAProxy config, which allowed us to provide front-end and back-end SSL.

global
 log 127.0.0.1 local0
 log 127.0.0.1 local1 notice
 maxconn 4096
 user haproxy
 group haproxy
 daemon
 tune.ssl.default-dh-param 2048
defaults
 log global
 mode http
 option httplog
 option dontlognull
 option forwardfor
 option http-server-close
 stats enable
 stats auth someuser:somepassword
 stats uri /haproxyStats
 timeout connect 5000
 timeout client 50000
 timeout server 50000
frontend http-in
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend application-backend
        

It is quite apparent that burnout is one of the highest priority risks facing security professionals today, by threat impact, and by threat likelihood. This can be clearly observed on Twitter, and in conversations with professional regardless of company. However, when security professionals talk about mitigating risk in their lives, their threat model rarely includes managing burnout risk. Perhaps it’s less fun to grapple with than account takeover, endpoint compromise, or covert operations. Or perhaps we avoid it because unlike these other, more technical threats, we don’t have the tools to combat burnout.

Burnout can be devastating to an individual’s work and personal life. And stress from each can contribute. We only have one supply of wellness to draw upon and so when stress at home adds to stress at work it can catapult us directly into burnout country. But sadly stress is unavoidable, so what can we do to mitigate the risk of burnout in the face of that stress.

I recently looked at four different aspects of the security posture of a number of US banks. I’d like to explain in detail what these security controls are and why they’re important. In this post I’ll explain what two factor authentication is and why you should be using it everywhere you can.

To start off, I’d like to define authentication. Authentication is the process by which one proves that they are who they say they are. In the case of most internet sites this is done with a username and password. I tell the site who I claim to be with my username, and prove it by providing something that only I would know: my password. That’s one factor authentication.

I have had an account with the same bank for a really long time. Perhaps the time has come to switch to a new bank. After all in 2016 my bank still doesn’t offer two factor authentication, EMV cards, and several other modern features that I see from other banks. I’d like a bank that takes information security seriously, it seems like my current one does not. While I’m sure I could find clean compliance based audits for each of these banks, I would prefer to take a different, more open approach. For this exercise let’s just look at email and web site security.

Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on Apache Tomcat, which leaves a system administrator little room for configuration of these features. Enter HAProxy.

With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool. From here I came up with a list of Tomcat SSL tips to help you improve your letter grade too.

Looking at an Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported.

Earlier this week content distribution provider CloudFlare announced that they would be providing free SSL certificates for all of their accounts, both paid and free. 

So I pulled the trigger, after adding CloudFlare to my domain for this blog I signed in and and selected Flex SSL. This provides an SSL tunnel between the client and CloudFlare; the connection from there is unencrypted HTTP. Still, this is a free and easy way to add, not only security for the end user, but also boost ones SEO score on Google.

Earlier this year I attended the Educause Security Professional Conference in St. Louis. I went to a session at which Nick Hannon from Swarthmore College explained how Splunk could combine MaxMind GeoIP data with authentication logs to detect credential theft by looking for geo impossible logins. I couldn’t find an exact tutorial online, so this is my execution of his idea. I based much of the syntax on another Splunk report I found here.