Risk Management – Part 1: Introduction

“Risk and Risk Tolerance are Business Decisions”

I have posted couple of blog posts about the concept of Risk and what are the wrong thoughts about it, and we agreed that Risk is a business term and not an IT security term by any means. Risk is defined as the likelihood for business loss. This can be financial loss, legal loss or even reputation loss.

We also agreed that IT security people should understand both business and technology to deal with Risk. A lot of technology and little of business, finance and return of investment stuff. IT security people should provide business justification to business people for applying security controls, and list the business impact (loss) for not doing that.

“You need to understand the business to deal with Risk”

I recommend that you read this previous blog post in order to get a quick overview about what we are trying to touch on in this blog series. You cannot go to a business and say you want to implement an Antivirus solution, only because you think they should. People who write the checks are business people and they need business justifications. They will agree with you if you list to them how the business will lose money for not having Antivirus. This is how you should deal with Risk.

Moving forward, Risk and Risk Tolerance are pure business decisions. In other words, Business will decide the risk tolerance and accepted risks. So in order to do deal with risk, you need to know how the business makes money. The more that you know about the business and its profit, the easier you can sell security to the boss or owner. Security is the biggest selling game that you have to master, and Risk Management is your tool.


Think about this. If you are going to put a new computer, your boss or owner will understand spending 1000 dollars because they can imagine an employee sitting there and doing his job. If you put a web site and spend 5000 dollars, business people will understand that because they can see it. Computer security on the other hand, although it has an outcome, but it cannot be seen physically, that is why you need to understand the business and provide business justifications by doing risk assessment. After all, Security Management is simply paying money for nothing to happen.

Keep also in mind that Risk Management and Computer Security are not one time practice. You cannot bring someone from outside, to “Secure” your network and then go away because he finished securing your environment. Same with Risk Management, as business changes, you will have risks with each change along the way. Below you can see the fundamental steps for handling Risk.

1. Know the assets that matter most to the business

To start with handling Risk, the first thing to do in this assessment is to figure out what are the assets or valuable assets that matter the most to the business (i.e. trade secrets, contact information…). It is very common that what you (as a security expert) think is valuable to the business, is not actually what is really valuable to the business. You may visit a company and see valuable servers and SQL databases, and you think (those databases are the most important asset that I have to invest time and money protecting), while all what matters to the business is their contact information located in a separate file share!!. For the business, losing that contact information, means they are out of business.


2. Threats to those assets?

After identifying what matters to the business, you can move on and ask yourself “Now that I know the important assets, let me see what the possible threats are”. Threats are simply all the forces that can be considered dangerous sources, things like natural disasters (floods, earthquakes), Human mistakes and stupidity (accidentally deleting a file), or simply a cracker who hacks to your systems.

Remember that each business has different type of threats. A certain threat can be big deal for a business, but can be completely ignored by another. For example, online attacks are big threat for a business with online presence on the internet, while this threat can be ignored for a business without online presence.

Threats can have ranking (High, Low, Medium). If you are living in a safe neighborhood, and some one comes to sell you 5,000 $ home security system, then i do not think you will buy it because the danger (threat) of being stolen in that safe neighborhood is low.

If you are living in a neighborhood with a lot of crimes, then you know the possibility of being stolen is high (threat is high), so you may consider buying that expensive home security system after all. Since Risk can be calculated as Threat times Vulnerability, then the possibility of a threat can affect the value of the associate Risk.

3. How well they are protected?

After that, move to see how vulnerable (lack of protection) the systems are against those threats. Remember that Risk is measured as (Threat x Vulnerability), so if both the threat and vulnerability are high, you will have big risk.

If for example the business building where all the servers are located is in a flood area, and the server room is located in the first floor, then the threat is high (there is big possibility for floods in the area), and the vulnerability is high (server room is in the first floor). This may indicates high risk.

If the server room is in the first floor (high vulnerability) but the building is not in a flood area (zero threat) then the risk my be considered zero although the vulnerability is high (because anything times zero is zero).

Risk Assessment

4. Does business care ?

Finally, you can put all this together by adding the business impact and justification. It is not rocket science after all. You can say something like “We think we should invest 10 000 dollars moving the server room to the third floor because there is a big risk a flood taking down the servers. The down time will cost the business 15000 dollars, so I guess it worth it”. Here you go, you can sell it that way and remember, this is all business exercise and you should provide business justification and possible loss to the business. It is like selling a specific item, you start mentioning the benefits for the item you are selling and how bad you will be for not having it.

If Threat is High (you are living in a neighborhood with lot of crimes, so threat of being stolen is big) , and Vulnerability is High ( your house is not well secure) , you may think that since (Risk = Threat times Vulnerability) so the Risk should be high. Well, there is a missing piece, which is “does business care?“. Is there a business impact or loss from this danger ? In our example, your house may be empty or it may contain nothing important and you do not actually care if it get stolen. Same with business, you may be evaluating the danger or threat if someone steal money from the corporate cafeteria that happened to be vulnerable to theft, but the business really do not care about it. Although both Threat and Vulnerability are high, Risk is low !



In summary,do not assume what are the assets that are considered valuable to the business, instead you should ask the business what is its most valuable assets or services it owns. This is a turning point when dealing with Risk. From there, start investigating what the possible threats to those assets are and what the vulnerabilities are. Remember that Risk = Threat x Vulnerability. Finally, you should come up with a business justification for the the security outcomes and the business cost (possible loss) for not doing that. The most dollar signs you put to the final equation, the better everyone can digest your analysis.

Shaking BitLocker – Backup keys to AD and play around

I have come across many scenarios where people have their BitLocker Information in AD, and then different funny situation happened along the way that i want to talk about in this blog post.


Case 1 : What will happen if you rejoin a BitLocker protected computer to the domain

Case 2 : Renaming a computer which has BitLocker

Case 3 : Computer was used by user1, user1 resigned, so you reset his computer account in AD, reformatted the machine, join it to domain and re-enabled BitLocker on it

Case 4 : deleting computer which has BitLocker from AD

Case 5 : Enabling BitLocker before joining the machine to the domain

Case 6 : divergence happened, you have a domain joined machine with BitLocker enabled, and in AD you do not have recovery information for that computer.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here


Recover BitLocker keys from Recycle Bin !


 You have AD with Recycle Bin enabled.

You are storing BitLocker recovery keys in AD

You have deleted a computer object with BitLocker Recovery information on it

You then restored that computer account from recycle bin.

No BitLocker Recovery information exists on the recovered computer object !!!!! What the heck ?!


Going back to basics…. do you know where the BitLocker information is stored for a computer object ? They are stored as a child object below the computer object itself.


Now, when the computer get deleted from Active Directory and moved to the AD recycle bin, the links between the child objects and the parent are broken. In the AD recycle bin you will see both computer objects and child objects randomly stored there. If you put your hand in this recycle bin and pull a computer object, you will not see any of its child objects attached to it any more. This is exactly what happened when you restored the AD computer from recycle bin, you will get the computer object without its child objects.



Lucky for all of us, each child objects of type (BitLocker Recovery Information) will have an attribute called (lastKnownParent). So theoretically if you go to the recycle bin and asked ” i have a parent called ComputerX, so which of you guys are the sons of this computer (which of you has the lastknownParent = ComputerX).

Download Script

Go to your Domain Controller or any machine with ActiveDirectory PowerShell Module, open PowerShell using a domain administrator account (only domain admin can restore from AD recycle bin), run the script from there. Make sure AD PowerShell module exist on that machine.

Do not forget that you may need to run Set-ExecutionPolicy Unrestricted on PowerShell to allow script execution.

I have no single credit writing this script. You can find the script here written by (Norman Bauer). I copied the script also to my repository so you can download it directly .

Download the script  http://sdrv.ms/1axvqS4

How does the script work

  • It will ask you about the name of computer to restore
  • Validation check : checking if that computer exists in AD first
  • If not, then the computer may be in recycle bin, search there and report if it is not there also ($deleted = Get-ADObject -IncludeDeletedObjects -Filter {sAMAccountName -eq $computername -and Deleted -eq $True}
  • If the computer in recycle bin, we will going to restore it ($deleted | Restore-ADObject)
  • Then we will search the recycle bin for child objects that have LastKnownParent equals the DistinguishedName for the restored computer ($recoveryinfos = Get-ADObject -IncludeDeletedObjects -Filter {lastKnownParent -eq $restoredobject.DistinguishedName -and Deleted -eq $True -and objectClass -eq ‘msFVE-RecoveryInformation’})
  • If found, for each child object ForEach($recoveryinfo in $recoveryinfos) we are going to  $recoveryinfo | Restore-ADObject

Sandbox for malware detection

The problem

Crackers are getting smarter everyday.They are using new and sophisticated ways to encrypt their malware or to make them change their shape and signature with time. This makes it so difficult for signature based antivirus solutions to detect and protect against those types of malware. Furthermore, zero day attacks are becoming more and more popular than ever and IT Security people should respond.


Since we cannot depend on comparing a malware file against a list of signatures in a database, we should think of a way to study the life cycle of the malware when it is in motion (action). Just imagine that you are given a malware file, and you are asked to study its behavior. Usually you will let it run in a controlled environment, and start monitoring what the malware is doing to the registry, O.S, processes, memory, and what network connections it is opening. Sandbox is exactly the same idea.

Sandbox originally is a concept that is used to describe running a program in an isolated and controlled environment for evaluation and testing purposes. Usually Sandboxes are used to test running applications from third party un-trusted vendors. Security people use Sandboxes now for malware investigation and detection.

How does it work

When a user first downloads an executable file, the file gets downloaded to his machine and also a copy of the file is sent to the Sandbox for evaluation. The Sandbox contains couple of virtual machines that simulate the end user’s operating system to the patch level. Since the Sandbox is optimized for this work, it will execute the file faster and start studying its behavior. If it suspects a malware connectivity (Call Back) to the cracker control and command center, then it will block it if it is configured to do so, or just log that incident.


Sandbox malware detection uses behavior-based malware classification patterns, not code-based signature solutions. Patterns cover everything from generic malicious behavior (i.e. creating files, modifying registry keys) to family-specific behavior patterns (i.e. banking Trojans, keyloggers). Malware infects virtual systems inside the Sandbox, create and delete files, replicate, connect to carefully controlled IRC servers and URLs, send emails, set up listening ports, or perform most other functions as they would on real systems. Working at the kernel level, the sandbox emulator exercises the malware, intercepting behavior and converting it into step-by-step forensic intelligence, providing a map of the damage the threat would cause if allowed to run on a real machine, without ever putting actual systems at risk.

Sandbox ISO Images

Usually the Sandbox contains many virtual machines inside it (ISO Images) for different operating systems (typically Windows XP SP3 and others). Each machine simulates one of the possible operating systems inside the corporate network to the service pack level. Some Sandboxes allow you to copy your “Gold image” that you use internally on your machine, which will create extremely similar virtual environment inside the Sandbox and this allows better judgments.

Usually Sandboxes do not contain ISO images for Apple, Android, Linux or other non-Windows legacy devices and it is likely that the Sandbox will not be able to do anything about a malware written to target those operating systems. This is an obvious detection limit for Sandboxes when it comes to malware detection !.


Malware is VM aware

An intelligent malware can detect if it is running inside a virtual machine and not on an actual user workstation by looking at different things (like the VM process or network card MAC addresses), so it will sleep and do nothing as it knows it is being evaluated inside an virtual environment by a security team. Sandbox vendors compete to create an internal environment with undetected visualization platforms so that the malware will be active when get analyzed. Think about it, if the Sandbox has vmware virtual machines inside it, then when it evaluate a malware, the malware is smart enough to know it is in a known virtual environment, and will not do anything, and the sandbox will not detect any thing suspicious allowing the malware to spread inside the network undetected. Most Sandbox security vendors claim that they have their own visualization platforms to simulate the end user O.S environment, but they do not share these details in public, so malware writers cannot get around their product.

Final Thoughts

I believe Sandbox approach to detect malware besides signature based detection is a big step towards better security. Sandboxes can detect malware that signature based cannot detect usually.

Nevertheless, most Sandboxes do not have ISO images for Linux, Apple and other legacy operating systems, so if you are using those a lot, then Sandbox will not be useful here.

The interesting part is that botnets malware type, will usually stay in sleep mode until the bot master activates them. This means that they will definitely bypass Sandbox security.

Further more, crackers are getting smarter now and will wait for the user to do couple of clicks on his machine before activating the malware to bypass Sandbox systems. Interesting right !!

Again, Sandbox is definitely a big step in the right direction that can raise your security level, but it is not completely bullet proof and they are so expensive financially and operationally. Doing simple Risk Assessment in your company would be your way to go when deciding to purchase one of those products as it depends on your business  you are in.


Metamorphic and Polymorphic malware : changes its shape like a real virus !

Can you imagine that a piece of malware code can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called Polymorphic or Metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic malware!

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here


Security Theory – Risk is a business concept, not an IT term

Introduction – the wrong and right

The wrong thing

Why do IT people and security specialists need to know and study the art of Risk, Risk Assessment and Risk Analysis?

Why each security exam like CISSP dedicates a whole section to talk about “Risk”? Who cares really?! Why don’t you just do your homework and implement some security best practices and hope nothing bad will happen?

Have you ever asked business people to spend couple of thousand dollars to purchase security products? When they asked why, you answered “Well, to prevent hackers and secure systems!!”.

I can imagine the look on business people who write the checks as the last thing they care about is spending money for something they do not feel or digest. If you asked them to write checks for laptops, then they might agree, because they can imagine a person using that laptop to do his work as laptops are physical assets after all. When you start talking about securing the systems, then do not expect business people to ever understand this. Usually business people cannot care less about security until they get attacked heavily.

Risk Assessment_232

Think about this, if you are in a small organization with couple of sales people and 2000 dollars profit daily, and you have couple of servers located in the kitchen because you do not have server room, then you cannot go to your boss asking for an IDS system that costs 50,000 dollars in order to implement detection counter measures. If you understand your business and profit, and study the risks, IDS could be the last thing to consider at this point.

The right thing

Now, if you go to your boss, telling him that you need to build a server room to put all the servers there as it is more secure that way, he may or may not agree with you. Instead, if you tell him “We need to spend 5000 dollars building a server room, not doing that may allow anyone to steal servers from the kitchen and cause the business to stop for couple of days”. Since the business gets 2000 dollars profit per day, it makes sense to invest in 5000 dollars server room because the business impact for not doing this is bigger.

“Security people need to understand business and how to speak to business people and to justify their security countermeasures by speaking about the likelihood of business losses (Risk) if they do not purchase or implement security systems”.

Security specialist cannot just go and implement random security solutions (think about IDS in the previous example). Instead, they need to understand the business and what can cause the business to lose (Risk) and use that as the drive to implement security measures (Risk Mitigation). So let us talk more about “Risk” from that perspective.

Risk is a business thing?!!

First of all, remember that “Risk” is simply a business concept. It is invented for businesses to talk about their potential loss weather it is financial loss or other type of loss. Risk is not an IT concept at all. Keep this in mind always.

Business can be at risk when merging with another company (financial loss), or it can be at risk if it loses its secret (legal loss). Business can also be at risk if the servers went down (financial loss, think about Facebook site going offline for couple of hours).

Risk is defined as the likelihood of business losing. For example, you can say that the business is at big risk of losing all its assets if an earthquake hits the building or business is at big risk if its medical information get published.

Since Risk is a business concept, why should i learn about it? Well, IT and Risk intersect when IT security people start talking about security solutions that should be in place to protect business from loss. So you can say “what will happen if a server went down because of a virus for example, and how much money this will cost the business”.This will simply justify your need for Antivirus solution.

For you as an IT guy, risk relates to you when it comes to business losing something when your systems went down or attacked. Loss can come from different sources:

  • Down time: when your system goes down because of viruses, DoS attacks or any other reason. This down time can cause business some kind of loss, thus putting it at risk.
  • Legal Issues:  for example, if someone hacked to your medical database pulling medical information about people, hacker may not get money, you may not lose money, but you can have many legal issues to deal with because your database is compromised, and this is another type of loss that puts business at risk.
  • Trade Secrets: information disclosure will cause the business financial lose or losing customers, thus putting business at risk.

Pilgrims Security Risk Management

What is Risk for IT Security then?!

People have different ways to understand how risk is measured and evaluated. I am so comfortable with a particular way that I will try to explain here:

Risk = Threat x Vulnerability

So the likelihood of loss equals what how high the threat is times how vulnerable my business is against that threat.

Do not think of this in a numerical way, by saying for example that threat is 40 and vulnerability is 10 so I will have Risk = 400 or so. It does not work this way.

Instead, think about it in a High, Low and Medium way. So if both threat and vulnerability are high, then I will have high risk. If both are low, then I will have low risk.

If I am worried about online attacks and If my business has an online presence, then there is a threat, and because hackers always target online websites, then the possibility of being attacked by hacker is high, and thus the threat of hackers is high. Now if I do not have firewalls and antivirus, then I will be vulnerable against that threat, so my vulnerability is high, and thus risk is high. If I happen to have good firewall and antivirus solution, then my vulnerability is low, so it could be that the risk of hackers is medium because the threat is still high.

What you can notice easily from this equation is that anything times zero equals to zero. So if any of the threat or vulnerability is zero, then the risk is simply zero. Let me explain more, if we are to evaluate the risk of earthquakes on business located in place that do not have earthquakes, then it is not logical to implement any counter measurements against earthquakes because the threat (the danger) is zero, and also the risk equals to zero because anything times zero is zero. No matter how vulnerable your business is against earthquakes, it does not matter.

 Also, if you have many counter measurements and security controls in place against online hacking, then your vulnerability against online hackers is zero, and the risk is zero no matter how high the threat is.

Final Thoughts

Finally, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.

Studying types of threat that the business can have is very important. Each business has different type of threats. A certain threat can be big issue for a business, but can be ignored by different business. A company without online presence will care nothing about online attacks for example. Knowing the business will give you clear image of the type of threats and thus the risk the business can encounter. Keep this in mind.

Also, it is no practical to just implement security solutions because you think so. Why to implement a complex IDS systems on workstations while the business may not be affected of those workstations are down. Maybe the business is using web servers with static content, and bringing all those servers will not affect the core business, so the impact of the risk can be ignored and thus, you should not focus on securing those servers.

Risk Assessment controls the IT security budget also, by making sure the money is spent on protecting the business most valuable assets and on things that cause big damage to the business.

Risk Assessment from my point of view is like a compass, it calculates danger times protection, asks the business if it cares , and finally direct security efforts accordingly. 


Risk Assessment_232s


Balance Cluster groups – Alert Script



You have two cluster nodes running two cluster groups (i.e File share and SQL instance).

You want to make sure that one cluster group is online on a cluster node and the other cluster group is hosted on the other cluster node.

You want to get an alert if both cluster groups are hosted on the same cluster nodes.




Script Details

It is so practical to go to one of the cluster nodes, open Task Scheduler, and create a basic task to run the script every hour for example. Make sure :

  • You set the PowerShell execution on that cluster node to unrestricted, by opening PowerShell using admin elevation and running Set-ExecutionPolicy Unrestricted 
  • Make sure the schedule task is using the (System) context when running



Now, open the script, go to the Script Customization section and enter the following :

  • SMTP Settings
  • Resource Group names by assigning values to the following two variables :
    • Resource1
    • Resource2

Download Script

You can download the script from this link http://sdrv.ms/1gUtDh9 

AD Backup – PowerShell Script

Mission :

I do not want to use third party software to backup my Active Directory (Domain Controller’s system state) because usually those third party requires high privileges and rights on domain controllers.

Instead, i will have a protected file share server, i will use a script on the domain controller to backup its system state to that protected file share. Then i will use my favorite third party solution to backup the protected file share server.


Prepare the File Server

Now as the file share will host your AD backup, it is important to protect and restrict access on that file server. I would recommend to install a VM with C drive for the O.S and D drive to host the system state backup.

Also, make sure that the administrators group on that file share is restricted to only domain admins. Do not install any other server roles on the server and do not host any other shares on it.

Now on the D drive, create a hidden share with Full permissions given to (Domain Controllers) group on both sharing and NTFS permissions. (Domain Controllers) is a built in security group that exist on your AD by default.

Prepare the Domain Controller

Nothing to prepare really here. You need to schedule the below script on one of your domain controllers. That’s it.

Script Breakdown

The script should be scheduled to run on any domain controller and it should run using the built in (System) scrutiny context. This will give it the right to take backups to your AD without any additional rights 🙂

The script starts by importing the (Server Manager) module using the Import-Module ServerManager

Then we will get the current date [string]$date = get-date -f ‘yyyy-MM-dd’.

Following that we will define the folder on the remote file share $TargetUNC = “\\FileServer\ADBackup$\AD-$date”. 

This assumes that the remote file share name is (FileServer) and the hidden share we created is called ADBackups$

Notice that we are assuming that backups will be taken in a folder structure where the name of the folder contains the date on which the backup is taken.

So we will check first to see if a folder is already there that contains today’s date, and if it exists, we will delete it. This means that we will not maintain two backups taken in the same date. This is only my own way. You can do yours.

Because the script will try to create folders on the remote share, (Domain Controllers) group will need access on that remote file share

If ( Test-Path $TargetUNC) { Remove-Item -Path $TargetUNC -Recurse -Force }

New-Item -ItemType Directory -Force -Path $TargetUNC

Finally, we will start taking backup using WEBADMIN command. This command requires that in order to do backups to remote file share, a user name and password should be supplied. So create a username (i.e ServiceADBackup) and give it share and NTFS permissions to write to the remote file share.

$WBadmin_cmd =    “wbadmin.exe START BACKUP     -backupTarget:$TargetUNC   -systemState      -noverify     -vssCopy     -quiet     -user:MyUser     -password:MyPassword “

Invoke-Expression   $WBadmin_cmd

Schedule Script

In order to schedule the script on your DC, open Task scheduler , create basic task with your own schedule preference, and when you reach the Action window, make sure to put (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) on the Program/script field, and the full path of your script in the (Add arguments (optional)) filed.


When you are done, open the task again, and change the scrutiny context that the script is using, and replace it with (System) and check the (Run with highest privileges)


Download Script

You can download the script from here http://sdrv.ms/1aMzCfd

Final Note

When taking backups this way, logs for this backup are stored on that DC here (C:\Windows\Logs\WindowsServerBackup). Usually with time, those logs will consume big space, so i would run a script to delete log files from this directory using another script http://ammarhasayen.com/2013/10/23/delete-log-files-older-than-x-days/

monitor active directory backup

The Requirement

“Send me email if my AD was not backed up recently”

I was given a task for making sure that AD backups (system state) is working fine and to get alerts if it fails.

If you go to the internet, you will find many solutions for taking backup for the domain controller’s system state. If you are using Windows Built in Backup Software, then you can write a script to search for specific event IDs under the Backup Event Log category. This was my initial thought. You will find many scripts out there who look at that place. But those scripts will only work if you are using Windows Backup Built in software.

I wanted a more direct, more reliable, more abstracted way to check AD backups. I want to go to AD and ask it : When the last time you get backed up, and then get alerts if this exceeded my backup cycle Window.

How to solve it ?

Lucky me, i found this nice article talking about PowerShell and AD stuff. It is a smart way to get the backup status for each AD partition, and the script is written in a way that works in all environments and no hard coding is used.

They use those line of code to get the last backup stamp for each AD partition

Import-Module ActiveDirectory

[string]$dnsRoot = (Get-ADDomain).DNSRoot

[string[]]$Partitions = (Get-ADRootDSE).namingContexts
$contextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext($contextType,$dnsRoot)
$domainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)

ForEach($partition in $partitions)
$domainControllerMetadata = $domainController.GetReplicationMetadata($partition)
$dsaSignature = $domainControllerMetadata.Item(“dsaSignature”)
Write-Host “$partition was backed up $($dsaSignature.LastOriginatingChangeTime.DateTime)`n”

What we need to do is to use the same line of codes but instead of printing out the last backup stamp for each partition, we will configure the script to send us a nice email if the last backup stamp for any partition exceeded our backup window for AD. For example, if we are suppose to take AD backup everyday using our favorite backup solution, then an email will be sent if the last backup stamp on any AD partition is more than 1 day.

Download the script

My own and complete version of the script can be download  from here http://sdrv.ms/19HgVvV

The script does not need any special permissions. Any domain user can execute it. The script will take from you your AD backup frequency and will send email alert for you ONLY if the AD backup exceeded your backup frequency (i.e you have AD backup failure).



The script can be sc

Security Theory – Why IT security people should understand business?

Why do IT Security specialist need to know and understand business, finance and return of investment to a certain extend? Why don’t security people do their homework by just installing a security solution and firewalls? After all who cares?!

Have you ever seen a security consultant entering an organization, going directly to the IT room, starting to ask questions from his predefined check list “Do you have FIPS Compliant encryption?” , ” Do you have a compliant firewall in place” , “Let us purchase this and this”.

Even worse, when you decide to do your homework and purchase a security solution and ask for money to secure your network, the people who write the checks may refuse to spend money on something they do not understand. They do not understand technology and why should they spend money on something they cannot digest or feel. “Wow, do you want me to spend money to be what?? Secure?!! Who cares” says the CEO.

I will start by talking about a strange fact for most of IT security specialist, and that is: “In order to be a successful security specialist and do Risk Assessment, you need to know about both technology and also business. A lot of technology and little of business”

A lot of people will simply forget or chose to ignore the need to know the business of the organization. They just install couple of firewalls and build a security solution, without knowing much about the business they are trying to secure. Believe me when I say, this is one of the biggest and most common mistakes happening all the time.

Firs of all, do not forget that IT exist to serve business and get money. In fact, we are here to serve the business and not the other way around. People who will pay money to purchase and implement security solutions are business people, and they need business justifications in order to spend money. It is not going to mean anything if you say “I need money to make the systems more secure”. For a business person, okay who cares! Do you want me to spend money for something that I cannot see or touch or even feel?

Instead, you can simply say “we are going to purchase a firewall to prevent hackers from stealing business trade secrets. Not doing that will cause us many financial and legal issues”. Now you got their attention when you start talking about business loss and impact. That is, you should provide business justifications and return of investment for spending money on security and what is the cost of not doing that. In other words, you shall start learning the concept of business “Risk” and “Risk Assessment”.

Not only that, if you do not know what the most valuable assets for the business are, then how could you know what to protect or what to protect most? If all what matters to a business is their contact information that exists in a file share, and losing those contacts can cause big damage, then it is not practical for you to put all your security measures on the company’s web servers that are holding the company static web site, and losing those web servers will not actually affect the business that much.

I cannot emphasis how important to study the business from an IT security angle in order to understand what cause the business financial loss, reputation issues or even legal loss. Knowing those business risks, will be your drive as a security specialist to start mitigating those risks from IT perspective and directing IT cost in the right direction.

To summarize this, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.

Protect Yourself while Traveling

This post is dedicated to my family, relatives and friends to help them protect their identity from theft while traveling.


If you are planing to travel somewhere and you are packing your stuff, it is very important to read those small tips that can help preventing your passwords, bank accounts and your digital identity from being exposed.

1. Leave Important documents at home or hotel

Before you set off, only take with you the necessary personal and identification documents. For example, why would you take your driving license with you if you are not going to use it while traveling.
Those docuemtns are easy stolen or forgotten from your wallet.

Once you arrive to your destination, carry a copy of your passport instead of the original one. This will enable you to move around without important things to worry about if they got lost.


2. Avoid public Wi-Fi at airport or public places

Never connect to insecure Wi-Fi network on your laptop or mobile device. Doing that will enable others to capture your internet history tracking data and access your email and social networking accounts. Stay on your 3G or 4G connection instead whenever possible.
Only connect to airport Wi-Fi or public Wi-Fi if you want to do normal internet browsing without using your passwords.


3. Keep your mobile device locked

Password protect your phone in case it is lost or stolen. This can prevent or at least delay others from accessing your email or sensitive data.

1_lock device_11434

4. Do not store devices in checked baggage

While it may be tempting to store a heavy laptop in your checked luggage, it’s safer to keep your devices with you in your carry-on baggage. Keeping your devices close to you while traveling helps keep snoops away.


5. Avoid posting on social media during traveling

This can be extreme thing to do, but not doing so, may alert others to your absence and give a prime opportunity to snatch your unchecked mail or worse, break into your unprotected house.

Businessman on Train Platform Text Messaging

6.  Update everything before traveling

It is very important to update all your devices (mobile and laptop) and make sure they are up to date with the latest software updates prior to going to a trip. Updating them while traveling (on hotel or public Wi-Fi) can increase your chances of downloading malware.

7.  Use the hotel security box

Carry as little personal information with you as possible to protect against pickpockets and muggers, and safely store the rest of your documents in the hotel safe.

8.  Check your bank account activity intermittently

Make sure there’s no fraudulent activity occurring during your trip – and after. Keep an eye on your bank account for several weeks after returning from a trip; identity thieves are patient and will likely use your information after you return home.


9. Change your passwords when you return

It is a good practice to change all your passwords if possible when you are back home. You normally log on to social networks or check your email while traveling, and your passwords may be exposed. Changing them after you get back is a very good thing to do.

Finally, go out there, have fun and I wish you a safe trip.

Delete Log files older than X days

We all have lot of log files. For Exchange for example, IIS log files on CAS server contain many useful information that you can analyze and get lot of information from it. But they quickly start to occupy a lot of disk space.

I usually schedule a script to clean up log files. Here is a sample script that you can schedule as a schedule task and run it in daily basis to clean your log files older than X days:

# Script Start

#GET the date for today
$Today = Get-Date
# Configure number of days to keep log files
$Days = “40”
$Daytoinspect = $Today.AddDays(-$Days)

#Configure the path of log files to inspect
$LogFolder = “F:\IIS_Logs”

#Define the log extension
$LogExt = “*.log”

#Get Files
$Old_Files = Get-Childitem $LogFolder `
                                    -Include $LogExt `
                                             -Recurse |
                             Where { $_.LastWriteTime -le “$Daytoinspect”  }

#Deleting those files

ForEach ($File in $Old_Files)
if ($File -ne $NULL)
write-host “File found , we are deleting File $File” -ForegroundColor “magenta”
Remove-Item $File.FullName | out-null
Write-Host “Script Ends” -foregroundcolor “Green”

# Script END

Download Script

Download the Script from here : http://sdrv.ms/1idOEPk

Security Academy – Course 105 : Botnets Part 2

Check other parts here:

In part two of this course, we will be talking about the types of attack that can be done from an infected computer with a bot.

Types of attacks

Distributed Denial of Service DDoS is the most common one, where the whole Zombie army will try to bring a published service down by sending millions of requests using Ping of Death, or using ICMP through a reflector (Smurf Attack).

Another technique would be something called (Teardrop) where bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result

Mailbomb on the other side is when bots send a massive amount of e-mail, crashing e-mail servers.

Botmasters nowadays will rent their Zombie army to another people for certain amount of money to send spam emails and advertisements or even to do DDoS attacks.

Even worse, botmasters may use botnet to perform some phishing attacks or install key logging programs to steal your credit card information and passwords.

One of the most interesting usage of botnet is to play with internet poll results or performing Click Fraud. Click Fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, crackers will commit Click Fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the botmaster could stand to earn quite a few dollars from fraudulent site visits.

It becomes way dangerous when it comes to Identity theft or unknowingly participate in an attack on an important Web site

How to prevent your computer from becoming one

Prevention is the name of the game here, below you can find some tips to prevent your computers from being a bot:

  • Implement a good Antivirus.
  • Keep your systems patched all the time.
  • Implement a strong firewall.
  • Deploy very complex passwords that are hard to guess.
  • Do not open emails or attachments from people you do not trust.

Sadly, if your computer is already a bot, your options are minimum. Your best shot is to erase everything and format the box.

Check out this YouTube link http://www.youtube.com/watch?v=RTCpCy_FFXc

Security Academy – Course 105 : Botnets Part 1

Check other parts here:

Imagine that the internet is a city, it would be the most crowded city in the world, but it would be incredibly seedy and dangerous. You can find all types of criminals out there waiting to infect you with malwares.

Inside this city, you would also discover that not everyone is who they seem to be – even yourself. You might find out that you’ve been misbehaving, although you don’t remember it. You discover you’ve been doing someone else’s bidding, and you have no idea how to stop it.

An attacker can infect a computer to become (Zombie Computer) and use it to do illegal activities. The user generally remains unaware that his computer has been taken over – he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer’s suspicious activities.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here


Security Academy – Course 104 : Malware Part 3

Check other parts here:

It is part three of the Malware course. In part one, we have identified malware as the umbrella term. This is a big catchall phrase that covers all sorts of software with nasty intent. In part two, we talked about how malware will reach you [Delivery Methods]. In this part, we will talk about some of the [Actions] that malware will do once you get infected. This is the interesting part !

Spyware: Steals Your Information

It is malicious computer program that does exactly what its name implies -i.e., spies on you. After downloading itself onto your computer either through an email you opened, website you visited or a program you downloaded, spyware scans your hard drive for personal information and your internet browsing habits.

spyware 121

Some spyware programs contain keyloggers that will record personal data you enter in to websites, such as your log on usernames and passwords, email addresses, browsing history, online buying habits, your computer’s hardware and software configurations, your name, age and sex, as well as sensitive banking and credit information.

Some spyware can interfere with your computer’s system settings, which can result in a slower internet connection.

Since spyware is primarily meant to make money at your expense, it doesn’t usually kill your PC—in fact, many people have spyware running without even realizing it, but generally those that have one spyware application installed also have a dozen more. Once you’ve got that many pieces of software spying on you, your PC is going to become slow.

Scareware: Holds Your PC for Ransom !!

Sometime it is called Ransomware.

Lately a very popular way for Internet criminals to make money. This malware alters your system in such a way that you’re unable to get into it normally. It will then display some kind of screen that demands some form of payment to have the computer unlocked. Access to your computer is literally ransomed by the cyber-criminal.

Sometime the user is tricked into downloading what appears to be an antivirus application, which then proceeds to tell you that your PC is infected with hundreds of viruses, and can only be cleaned if you pay for a full license. Of course, these scareware applications are nothing more than malware that hold your PC hostage until you pay the ransom—in most cases, you can’t or even use the PC.

Ransomware can be Lock Screen type (locks your computer until you pay), or Encryption type, which will encrypt your files with a password until you pay.

The most famous malware of this type is the “FBI MoneyPak”. It will lock your screen saying that you break some copyright laws or visited unauthorized pages, and you need to pay the FBI money to unlock your PC. Really smart !!


Adware: We will get you some Advertisements

Adware is any software that, once installed on your computer, tracks your internet browsing habits and sends you popups containing advertisements related to the sites and topics you’ve visited. While this type of software may sound innocent, and even helpful, it consumes and slows down your computer’s processor and internet connection speed. Additionally, some adware has keyloggers and spyware built into the program, leading to greater damage to your computer and possible invasion of your private data.