All posts by Harout

About Harout

Technologist, Cloud Promoter, Automation and Continuous Optimization Advocate. View all posts by Harout →

Security Assessments

April 22, 2022Techaudits, compliance, devsec, devsecops, secops, security, securityaudit, securityconsulting, securitycontrols, trainingHarout

The deal with security compliance assessments and certifications is not just about that annual or bi-annual point in time, during which auditors certify your establishment as compliant. It’s about whether your organization and all of its individuals follow security guidelines and best practices as outlined in the assessment during their day-to-day operations.

Remember: Once auditors issue a compliance certificate and leave your office, from that point forward, your security is as good as your staff’s training, and discipline to follow security controls.

This is an everyday thing; not once or twice a year thing!

A Security+ Nostalgia

April 19, 2022Techcloud, cybersecurity, devops, devsecops, nostalgia, oldschool, secops, securityplus, sysadminHarout

Going through modern Security+ material, seeing mentions of legacy technologies and methodologies such as Sub7 or War-driving was a pleasant time travel 🙂

hackathon Gems

April 8, 2022Techcybersecurity, hackathon, hiring, networksecurity, security, securityconsulting, securitycontrols, securityprofessionalsHarout

If you’re attending a hackathon/security conference looking to recruit good security professionals, keep an eye for those using personal Internet devices, tethering via cell phone, or better yet, tethering via a cable connection to their cell phone to gain internet access.

As to those who are using the convention center’s free wifi during a hackathon/security event, maybe enroll them in some good security training programs first, if you really want to hire them.

Matter of preference

March 11, 2022Techchat, collaboration, collaborationsolutions, slack, teamsHarout

I understand this topic is a matter of personal preference, but I have to say; having had exposure to both platforms, I’ll take Slack over Teams as a collaboration platform any day…

Feels like yesterday…

March 4, 2022Techapache, cloudcomputing, inventorymanagement, lamp, legacy, linux, logistics, network, oldschool, pda, php, solutionarchitecture, solutions, team, warehouses, wifi, windows, workHarout

Feels like it was just yesterday when…

We transformed how a full-house inventory exercises were performed across warehouses, for an international book and magazine distribution business.

The solution we introduced included handheld PDAs running Windows CE, with bar-code scanning attachments, hooked up to a custom designed broad WiFi “mesh” network (before modern mesh WiFi became a thing you can buy), backed by a LAMP server hosting the inventory web front-end and database.

This setup was a game changer to the inventory team, as it reduced the amount of time it took to complete their yearly exercise from a multi-week effort to just a few days.

Bear in mind this was before the age of cloud computing, smart phones, 4G/5G networks, lightweight laptops and tablets.

To me, the level of excitement, the dropped jaws on the faces of all team members, senior management, and executive stakeholders, was the payoff to the work we did. It was quite the fun project to be a part of.

This was back in 2003. How time flies by…

Automate all the things?

February 17, 2022Techautomateallthethings, automation, automationengineer, cloud, cloudcomputing, complexity, devops, techopsHarout

Look… we get it; it’s easy to get carried away with the “let’s automate this, let’s automate that, let’s automate everything!” enthusiasm.

Before you go ahead and commit your team to a ton of automation work spanning the foreseeable sprints, it is best to have a sit down with your leads and establish an outline of all domains in which automation makes sense, prioritize those where repetitive high-frequency tasks reside, reduce hours consumed by your in-house skill overwhelmed by running routine tasks, and work your way down that list.

The last thing any directive would want is for their team spending months on an automation build-out, only to no longer be needed due to product life-cycle deprecation.

The goal of automation is to simplify and streamline workflow, reduce overhead, and allow skill to be leveraged where it is needed most… and that is not, in troubleshooting automation complexity issues.

Nice to have…

January 11, 2022Techagile, agileleadership, engineeringmanagement, itmanagement, leadershipandmanagement, leadershipculture, platformengineering, platforms, projectleadership, projectmanagement, projects, technicalprojectmanagementHarout

Platform projects, whether on-premise, cloud, or hybrid in nature, generally have two high-level lists: The Must Have’s, and the Nice-to Have’s. Almost each one of these projects, drifting from their original delivery timeline, is due to an imbalance between these two lists.

This is why a Technical Project Management overview is important during the development phase of a platform build. Joining efforts with Product Management, these two units can control the balance between the two lists, ensuring engineering and development efforts are invested appropriately, with minimum drifts into endless rabbit holes.

Two-factor authentication – just do it already!

July 20, 2018Tech2FA, authentication, cybersecurity, devops, devsecops, duo, MFA, secops, security, sitesecurity, sysops, two-factorHarout

During a recent conversation, I was asked to briefly describe what two-factor authentication is, while keeping the technical bits at a minimum.

In the age of everything web, most of us have heard of two-factor authentication. Commonly referred to as 2FA or MFA, it simply is the composition of two secrets, one static and the other dynamic in nature, combined to establish a password that is almost impossible to guess or brute force.

Of course, there’s more to it than described above. The static secret is what we commonly use, combined with a username in most authentication mechanisms in the form of a login window. A username and a password to sign into a protected website.

This is where the dynamic part comes in play, converting an otherwise traditional authentication mechanism into a new level of authentication security.

When a web login is configured with 2FA/MFA, the login process is adjusted to accommodate a secondary validation, in most cases by an independent party, unrelated to the source of authentication validating the username and password. This is where “second factor” authentication comes from; it really means a secondary source of authentication, and validation of the party attempting to authenticate.

The secondary validation provider comes in many different forms such as a one-time code sent via email, text message (SMS) or generated using a device or a mobile app. This one time code is supplied during the authentication process confirming that the party attempting to login with the username and password is in fact an authorized party.

Some 2FA/MFA providers even include additional features such as a PUSH notification prompting the user on their smart phone or tablet to approve a login process, and in certain cases (not as common) a call-back number previously configured where the authenticating party will receive an automated voice call with an access code provided verbally.

All this may sound too complicated to some. However, in practice, it has proven to be much simpler to use than expected. Why is that?

For starters, due to the 2FA/MFA layer, the static password no longer has to be one of high complexity, allowing users to start using simpler passwords again.

Remember, the password by itself is no longer sufficient to process authentication, unless paired with a 2FA dynamic code. This means users can now have easier passwords to remember, and simply punch in a 6 digit code that is rendered on the screen of their phone, or better yet, simply tap “Allow” on a screen prompt.

Additionally, this renders the user’s credentials “hack” proof. With a properly implemented 2FA/MFA, even if the user’s username and password are compromised, without the second factor dynamic code, login will not work.

Also, as an added benefit to newer versions of 2FA/MFA providers, if the user has their 2FA/MFA configured with a PUSH notification, they will instantly know if there has been an unauthorized login attempt with their compromised credentials. In many cases, the 2FA/MFA app also provides means for the user to lock or deactivate their account directly via the app if there’s a reason to believe that a compromise has occurred.

Today, there are many businesses providing 2FA authentication as a service, simplifying implementation and reducing the overhead of maintaining and building such systems. Most Major players like Google, Facebook, Amazon have already bundled 2FA/MFA as part of their login process, meaning a user has to simply enable it and start using it.

Banks, credit companies and other financial institutions are also pushing forward to introducing 2FA/MFA into their login process. As a matter of fact, it is becoming a requirement by security compliance agencies and auditors.

We strongly recommend businesses to follow this trend and include a 2FA/MFA authentication mechanism to their web presence, their shopping carts and their user portals, providing their users with a higher level of security and the peace of mind, knowing their accounts are well protected.

We also encourage everyone out there to leverage 2FA/MFA as much as possible. We all have many logins to remember and work with: from our bank portals, to social media and email, we simply can’t afford the risk.

There are many 2FA/MFA management apps out there such as Duo, Google Auth, Authy …etc that allow a user to store and manage all of their 2FA/MFA entries. Most of these apps are compatible with majority of 2FA/MFA service providers.

If you’re on the edge about 2FA/MFA, just do it! the peace of mind is worth the extra 2 minutes it would take to enable it in your email or in many of the websites you use!

Fail2ban on OpenBSD

November 6, 2014TechBSD, devops, fail2ban, linux, openbsd, OperatingSystems, secops, security, ssh, sysopsHarout

Fail2ban is a nifty security tool that can monitor log files (ssh apache squid…etc) and execute commands, such as adding an IPtables rule, blocking the offending IP address.

On Debian/Ubuntu, fail2ban is available in repositories and once installed, it will default start protecting ssh attempts. Such a great safety mesure for so little work required (just install it!).

This post however, is to discuss the installation of fail2ban on a server running OpenBSD (in this case, 5.1) and setting it up to protect SSH from bad login attempts.

Note: This is not a post on how to use PF on an OpenBSD server 😉

– Install python [pkg_add python-2.7.1p12.tgz]
– Get copy of fail2ban master branch https://github.com/fail2ban/fail2ban
– Install fail2ban by running: python2.7 setup.py install
– Once installed, configs are in /etc/fail2ban
– find jail.conf and add a new “jail” section as follows:

[ssh-pf] enabled = true filter = sshd action = pf logpath = /var/log/authlog ignoreip = "a whiltelisted IP"

– Next, go to /etc/fail2ban/action.d
– Create a new action config named ‘pf.conf’
– Add the following to it:

[Definition] actionstart = actionstop = actioncheck = actionban = /sbin/pfctl -t Banned -T add < ip > && /sbin/pfctl -k < ip > actionunban = /sbin/pfctl -t Banned -T delete < ip > [Init]

– Now we need to set up /etc/pf.conf with some block rules.
– Assuming you already know how to use PF, we will need a table and a block rule for the table:

# Fail2Ban dynamic table table < Banned > persist

# Fail2Ban blocks
block log quick from { < Banned > } to any

– To start/stop fail2ban on OpenBSD
# fail2ban-client start # fail2ban-client stop
– To look at the PF table for IPs
pfctl -t 'tableName' -T show
– To clear contents of the table
pfctl -t 'tableName' -T flush