Visualising Security Data : SCCM patching traffic flows

Posted on March 03, 2014

I have been experimenting a little recently with visualisation of security data.

We have had some challenges with SCCM and needing to understand which clients were connecting to which servers, where and why. This data seemed very hard to come by and after some discussions with some helpful Microsoft South Africa folk the service provider pulled the IIS logs from most of our SCCM Primary Servers and the Distribution Points.

I then added in a Destination column (being the server from which the log was pulled) and combined the logs from all of the servers (6 Primary and 6 Distribution). In MS Access I then summarised the data by source and destination pairs, providing 13952 connections. This was exported as a CSV and headings added in using Notepad (Gephi wouldn’t read the data file without headings named to its liking).

The data was then loaded into Gephi as edge data. I then searched for each of the 12 servers in the node table, added in a Label, changed the colour and size (Red 30 for Primary Blue 20 for secondary), selected the Force Atlas option and let it plot my data. The 13 546 nodes and 113952 were then plotted providing the graph below (when exported as PDF).

The graph was somewhat unexpected in that I did not foresee so many of the workstations being served from Primary servers nor so many devices receiving data from multiple servers. A few of the DP’s (top and bottom of screen) clearly are not serving the numbers of workstations we would expect and need deeper investigation.

While Excel cross tabs and more detailed access queries provide more detailed insight into what is going on this visualisation very quickly demonstrates a very different picture to which the service provider running the SCCM infrastructure had been describing.

Have you done anything similar? Please do share.

 

Map of SCCM links using Gephi

Map of SCCM links using Gephi

 

Download the PDF version here :  map of sccm v2

 

UKZN MBA presentation 8th August 2013 : Information Security & Ethics

Posted on August 11, 2013

On Thursday the 8th August 2013 I was once again privileged to be the guest lecturer for the UKZN MBA programme. Despite Friday being a holiday and the start of the long weekend there was a great turnout. Thanks to all the students for all your questions and contributing to making it an entertaining session.

Below is the link to the slides. Please feel free to contact me if you have an questions or would like to discuss the subject further.

security and ethics UKZN MBA August 2013

Award winning presentation on director interlocks on the JSE (SAAA conference June 2013)

Posted on July 14, 2013

 

SAAA biennial conference logo

My MBA dissertation was entitled “An analysis of director interlocks on the JSE -with reference to the top 40 listed companies” and took me quite some years to complete. There were complexities of having to collect all my own data due to inaccuracies in the CIPC database, having to relearn that matrix mathematics that I thought I would never use again after first year university 20 years ago, then figure out how all these analytical tools work.

During the completion process a few people commented that the only people who would ever read the document would be my supervisor and the two examiners (and even then I would be operating on faith). After all the work I had put in this was quite disheartening. When Leo Deodutt (my supervisor) suggested that we create a paper from the dissertation and submit it for the Southern African Accounting Association Biennial Conference to be held in Cape Town in June I jumped at the chance. What an opportunity to get the message out. Leo did a lot of hard work to cut down the dissertation to a 20 page paper, and in the process we had to restrict the paper to just one of the research questions covered in the dissertation. When the comments came back from the blind peer reviewer there was a nomination for best paper award, which was most gratifying. What an honour just to be nominated.

The presentation itself was again a challenge: to try to fit into 20m what took years to research, and to try to simplify the complexities and distil the message to one that can easily be conveyed to a broad audience. In the end this was achieved and the final presentation is attached. Leo is looking for opportunities to further present the work, and it is likely that we will present again at UKZN in the coming months. Mail me if you have ideas of appropriate forums who may be interested.

The day after the presentation I was absolutely thrilled to discover that we did indeed win the best paper award. I am pretty sure I didn’t stop smiling for a week. Thanks to Leo for all his hard work in making this happen.

Enjoy the presentation and leave any questions in the comments or drop me a mail.

Justin

Download a copy of the presentation :  SAAA conference June 2013 – director interlocks on the JSE final

 

Thought for the day : What makes you good at what you do ?

Posted on May 18, 2013

This morning I received a message from one of our Graduates In Training (GIT’s) : “Hi Justin, quick question. What would you say is the one thing that makes you good at what you do. The key ingredient?”

Now that isn’t quite as easy to answer as it first seems. The challenge is keeping it down to one, when there are a number of things that one is or one does that makes you who you are, but which of those makes you GOOD at what you do.

My first answer was “Willingness to learn” sent fairly quickly. To me we have to be learning things all the time, formal learning, reading, on the job, always sucking up new knowledge and building on the skill set we have. But that still doesn’t really quite get to the heart of it.

So I sent a second message “That + questioning all the time, if you don’t understand something ask, don’t just accept what people say, make them explain why, that way you learn or find out they are not right”.

That was much closer to the heart of it. Have that questioning, enquiring mind. Want to know why things are the way they are and don’t just accept them for the way they are.
The other extension to that is creating a learning culture and environment wherever you are. Not accepting things have to be the way they are and encouraging people around you to learn and to share. Knowledge is power, if shared and if used to support one another. Standing on the shoulders of giants comes to mind**. Some people sadly still see knowledge as power for themselves, so hold onto knowledge and don’t want to share. Those aren’t my kind of people and I certainly don’t want to work with them or surround myself with them.

There are many other things that make one good at what we do :

  • Quality
  • Persistence
  • Perseverance
  • Technical competence
  • Hard Work
  • Lead from the front
  • Surround yourself with good people, with diverse skills
  • Recognise the contribution of others and publicly & privately acknowledge it (the latter half of that I’m not particularly good at – don’t do it often enough).

Perhaps each of us is different enough that we will all have a different “one thing” that makes us good at what we do, and the challenge for each of us is to find that one thing for us that allows us to be the best we can be. If we can see someone similar to ourselves who resonates with us and we can learn from them, great.

Be delighted for you to share your thoughts on the matter.

Simphiwe, thanks for asking the question, and for your enthusiasm and infectious laughter every day, brings sunshine to our lives.

Other Comments from respected IT personalities : 

Great blog post, for me it’s passion, heart, attitude. All synonymous for how one feels towards something, one can be the best in one’s field or subject matter, but without these qualities you just not going to get people to rally behind you.  Yusuf Loonat (Head : Service Delivery : Enterprise Information Management Services : Transnet)

The key ingredients for me  is pride, passionate, commitment and ethics. All the others are important but these are the threads that hold it together and provide meaning and relevance. Kevin Govender (Head : Strategy and Architecture : Enterprise Information Management Services : Transnet)

to @jjza well written. A passion to make a difference would be my answer. One will find all the ingredients required to satisfy the passion.. Raghuvansh Swami (Partner : Ernst & Young)  (@swamira)

 

From twitter conversation with Darren Smith (@DazMSmith) :

to @DazMSmith Would appreciate your thoughts on this - Question raised by a graduate intern of mine

to @jjza A fascinating question. With no easy answer. But “attitude” separates the mediocre from the exceptional. They envisage 1st, then do.

to @DazMSmith True. I’m intrigued to see most of the answers relate to personal traits rather than knowledge, skill or experience.

to @jjza Absolutely agree! All the skill in the world will get you nowhere if you do nothing with your potential. Or knowledge. Or opportunity.

 

**  Wikipedia tells me to thank Bernard of Chartres not Sir Isaac Newton – interesting

 

Southern African Accounting Association : INTERNATIONAL BIENNIAL CONFERENCE

Posted on May 18, 2013

The SOUTHERN AFRICAN ACCOUNTING ASSOCIATION (SAAA) in collaboration with the INTERNATIONAL ASSOCIATION OF ACCOUNTING EDUCATION AND RESEARCH are presenting an INTERNATIONAL BIENNIAL CONFERENCE THEMED: The challenge of responsible Accountancy Academic Citizenship: The quest to balance teaching, research and academic leadership from 26-28th June 2013 at the LORD CHARLES HOTEL, SOMERSET WEST, CAPE TOWN, SOUTH AFRICA. Website here

I am delighted that a paper prepared from my Masters thesis by my supervisors, Leo Deodutt and myself has been accepted for presentation at the above conference.

During the finalisation of my dissertation there were a number of people who were gleefully reminding me that the examiners and I would probably be the only people who ever read or cared about my research. This didn’t fill me with any joy, so I am truly delighted to have the opportunity to share some of my research. It provides further impetus to the original thinking of publishing the material is a book of some format.

Watch this space :)

New location for Nespresso in Durban (updated with pics)

Posted on March 28, 2013

I received an SMS from Nespresso the other day to say they are currently located at 254 Lilian Ngoyi Road (formerly Windermere road). Their new phone number is 031-303 3374.

Having struggled in the past to find them, and the fact the address and number is not listed on www.nespresso.co.za nor does it come up on a Google search, this may be useful to some of you looking for them.

Update : So as you drive up Windermere road, their shop is a converted house on the right hand side, you can see the palms outside. As you get closer you can see the sign on the road facing part of the building to the left of the palms. At this point you want to be slowing down already as they have off-street parking. and it is easy to miss. The parking is right up against the building, and the solid island does stop so you can turn right into the parking. The security guard will have to open the boom for you.

 

 

Nespresso Shop nes2 nes3

 

 

UKZN MBA 2013 Presentation : Security & Ethics

Posted on March 02, 2013

On Thursday afternoon I was privileged to speak to the UKZN 2013 MBA class on information security and ethics. Below is a copy of the presentation. Lots of detail in here which we didn’t get to cover in the two hours together, and lots to remind you of the things we shared. I hope you all enjoyed the time as much as I did.

Feel free to mail me or post any questions here.

Justin

Download PDF presentation : security and ethics 2013 UKZN MBA Feb 2013

 

LinkedIn reaches 200 million and I’m in the Top 5% most viewed profiles (along with 10 million others!)

Posted on February 17, 2013

I received a mail the other day to say that LinkedIn had reached 200 million members, and that my profile was one of the Top 5% of most viewed profiles. Sounds impressive doesn’t it? Perhaps a little less so when you consider 10 million other members must have received the same mail. Ah well, below is a snapshot of that mail and the accompanying info-graphic just for interest sake. Sadly this doesn’t show South Africa to be a top user of Linked In. In fact Africa doesn’t even warrant a dot, I guess that means we have fewer members than even the 3 million of Australia. Ah well.

 

Top5

Read the rest of this entry »

Caffe Luxe’s new and improved Nespresso Compatible coffee pods (mostly just pics)

Posted on February 16, 2013

After one of our readers complained about the Caffelux capsules, the good folk over at luxurycoffee.co.za stepped in and offered to send her some capsules. At the same time they noticed my previous blog post on their coffee still showed the old branding and product. Since the product had been updated with new branding, capsules design improvements and coffee they very kindly offered to send me some of the new coffee to try, which I gladly accepted.

Below you can see the new whiter, lighter branded boxes of the five flavours.

The 5 flavours

The 5 flavours

Read the rest of this entry »

Cheap (Legal) copies of Microsoft 2013 applications (for some)

Posted on February 16, 2013

Microsoft has a home use programme that allows employees of many organisations from around the world to get copies of their key products:

  • Office 2013 Professional
  • Project 2013 Professional
  • Visio 2013 Professional
  • Office 2011 for Mac OS X

for the really awesome price of R81 each. This is for the download copy, for R120 extra you can order a physical media copy of each (postage not included).

This is applicable for a lot of people working in large corporates or at educational institutions. You will need the Home Use code, which you can get from your IT department. If you can’t find the code, then try the link below anyway, click the “don’t have code” option,  just pop in  your email address, and you may get lucky and be able to download it anyway.

Be aware the 2013 version of office is a download version running in some kind of virtualised environment which will ensure that it keeps up to date. When you download the installer it downloads a “download app” and then downloads and installs all in one, so you don’t get an ISO or installer per say, so you can install on just the one PC. Not really a big problem. On a site I was reading this morning (sorry, forget the name so no details) they did mention that the license key you get with the R81 version works with physical media, so once you have the key, if you can get the media elsewhere you can still use it.

As much as people bemoan the Microsoft Office suite, these are really great apps and at this price, nobody who is entitled to use the programme can complain they are too expensive.

http://www.microsofthup.com/hupemea2/home.aspx?culture=en-GB&country_id=ZA

Transversal password cracking with NMAP (without downloading the hashes)

Posted on February 16, 2013

A few months back I discovered that our service desk had become a little “lazy” and were no longer using the defined process (identify user, randomly generate new password, set to change on first use) and were now handing out weak passwords without requiring the users to change them.

In order to assess the extent of the problem I wanted to do a test against the domain to see how wide-spread the problem was. I Google’d around a bit to try to identify a tool which could perform the exercise for me, but didn’t really find anything that looked suitable. I knew that I didn’t want to grab the hashes and do an off-line attack , but wanted instead to do it “live” against the domain, both to avoid the responsibility of having a copy of all the hashes (risk of is too high and as Head of Infosec I didn’t want that on my head)  and also to test the alertness of the security operations centre in detecting the attack.

My criterion was simple, find a tool that given a file of usernames and a file of passwords would test the usernames with the given passwords.

Read the rest of this entry »

Using iDrifta with iPad Mini / iPhone5 / Lightning connector iDevices

Posted on February 16, 2013

The good news is that you can use your iDrifta with the newer Lightning connector enabled devices (iPad 4th Gen, iPad Mini, iPhone 5) but you need to get an Apple Certified 30 pin lightning adaptor. I have yet to try this personally, but have ordered some connectors and converter cables from DX.COM to see if these far far cheaper generic converters will work. Will keep you posted once these arrive and I have tested them.

Just don’t forget, DONT UPGRADE to iOS 6.1 if you want to keep using your iDrifta, DStvMobile need sort their nonsense out and get their app upgraded to work with iOS 6.1 before you proceed. (See previous post).

Info obtained from dstv website here 
The iDrifta is a mobile TV decoder that receives DVB-H signal for viewing on iOS devices. For the product to work it must be within the DVB-H coverage area. Currently, the device is compatible with iPhone 4/4S/5*, iPad 1,2,3,4*,Mini* and 3rd generation and the 4th Generation iPod Touch.  * Using an Apple Certified 30 pin to lightning adaptor.

iOS iDrifta users/buyers beware! iOS6.1 not compatible with iDrifta (currently), works fine with Drifta (wifi)

Posted on February 16, 2013

Users of iDevices who own the iDrifta are on the rampage. Since the release of iOS 6.1 the iDrifta has not been working with the iPad/iPhone and DSTV have no useful response. They apologise and have no timelines for implementation of a solution. I have reached out to a few people I know but have received no response either.

The only bit of info is this “Announcement” on their website :

“Apple recently introduced the new iOS 6.1 version for its devices. In keeping in line with the various operating systems that we service, the Drifta is compatible with the new version and we are in the process of making the iDrifta compatible with iOS 6.1 soon.”

Not sure how that helps those users who can’t watch the test cricket or rugby. Seems unfortunate that DSTVMobile aren’t keeping up with the times and testing their products with those they claim to be compatible with.

Some relevant links :

  • Keep checking the iStore.  Let’s hope this is not a repeat of the Blackberry debacle.
  • You can follow the irate stream of complaints on Hello Peter over here (swearing and ineffectual customer service response involved!)
  • The thread on the DSTVmobile forum with the hapless Thulani saying much of nothing
  • And on facebook where a nameless sap apologizes for “any inconvenience that may have been caused.” indeed. A non-functional product “may have” caused inconvenience? What a lame braindead response. Of course it has caused inconvenience, the darn thing don’t work!

 

Service Desk Hell : The case of the missing Purchases Part II

Posted on February 09, 2013

Read part I of Service Desk Hell : The case of the missing Purchase, then click-through.

Read the rest of this entry »

%d bloggers like this: