Educause Guest Blog: Think Before You Speak

Hello All:

In honor of cyber security month 2016, Educause allowed me to be a guest blogger once again for their Security Matters blog.

Read it Here: Think Before You Speak: Effectively Share Risk Across the Organization

There are some other great articles published this week as well, including one written by SANS’ Lance Spitzner.

Thanks for checking it out!

SANS SEC503 (GCIA) Review

Ouch. My head hurts.

I am tempted to end my review right there, but this class is just too awesome. I would not be doing it justice.

This past May I attended SEC503, Intrusion Detection In-depth, virtually. It was v-live format; Essentially a live stream of the course at SANS Houston. As far as the format is concerned, I liked it more than on-demand, but not as much as being there in the flesh. You don’t get to network as well and obviously you miss out on Netwars and SANS @ Night, but the core part of the experience is kept intact. I had the ability to interact with the class via chat, which was definitely useful. If I typed in a question, the moderator would inform the instructor, in this case Johannes Ullrich. He would than respond verbally, which was a great way to interact with the instructor remotely. This was important to me because one of the primary reasons I prefer SANS courses over many others is the caliber of their instructors. Dr. Ullrich is truly an expert in the field and for those that don’t already, I would highly recommend subscribing to his daily ISC Stormcast. If you don’t know, now you know (yes, that was a 90’s hip hop reference)! I digress.

The course lived up to the hype. It has a reputation for being one of the most challenging SANS courses. And I would have to say that of the courses I’ve taken, there is truth to that. I will qualify that by saying I do not have a strong background in this area. I had a high level understanding of packet analysis solely from SEC401, but otherwise this was uncharted territory for me. I am comfortable with IDS concepts overall and oversee a managed implementation of such, but my hands-on experience is limited. This course filled in all the gaps. I was able to work with snort quite a bit, and some other great solutions such as Bro, SiLK and Security Onion. I learned very quickly that aside from basic functionality, Bro requires basic programming capability to support, hence the limited adoption. I also learned more about IP, TCP, UDP, and IPv6 that I ever cared to know about. But more importantly, I have a crystal clear understanding of what is normal and what is not when looking at a series of packets. It also provided plenty of flight time with tcpdump and Wireshark.

wireshark screenshot

Wireshark screenshot

 

I used the full 4 months to prepare for this exam after taking the course. Partially due to external time contention (being appointed interim CISO shortly after I took the course) and partially because this material was outside of my comfort zone…not my cup of tea as “they” say. I still managed to score a 95 on the exam. I’m not sharing that to brag. I wanted to reassure my blog readers that if you are inclined to take this course, you can be successful, even if you’re not already a packet ninja. If you want to be one, this is a good place to start. I would like to set your expectation, though. Even after taking this course, I would not consider myself a black belt. Brown belt at best!

Do I recommend this course…absolutely. Keep the Advil handy, though!

Catchy Headlines and the Pokemon Go non-Controversy

IMG_5472Imagine my surprise when reading headline after headline last night that proclaimed from the rooftops, “Pokemon Go App Can Read Your Emails!” and similar.

Users who were downloading this Apple iOS game were surprised to learn that the permissions it requested to Gmail when logging in included full access to their account, yet it was still downloaded FIVE MILLION times.

I was ready to get on my soapbox about paying attention to the permissions of every app you install, not letting your children install apps unattended, and the need for app developers to get it together, when I read this…

Pokemon Go was Never Able to Read Your Emails 

Soooooooooooo, as it turns out, the message users received was not accurate. In this case, although it did claim to have “full account access,” this term did not actually mean FULL account access. So is there any lesson to be learned or is this a pointless blog post?

Yes, and maybe. We should always be wary of any app that requests “full account access” or full access to anything regardless of what it means! So my soapbox lessons still apply. More specifically, pay attention to the permissions of every app you install, don’t let your children (30 and under) install apps unattended and app makers need to get it together! I digress.

Another important thing to check from time to time is what currently has access to your account. If you are a Gmail user, you can go to “My Account–>Connected apps & sites.” You may be surprised to see what is listed there. Remove the items you no longer use.

connectedapps

In a similar vein, have you checked who is authorized to charge you via Paypal lately? It accumulates over the years. Check the list by clicking on the “Settings Gear –> Payments –> Preaproved Payments.” I am always surprised to find vendors listed that I approved for a single purchase in that list, and subscriptions that I cancelled many years ago. Clean it up before someone cleans out your bank account.

paypal

OH! And if you’re not a vendor, don’t do this voluntarily…

paypal2

In summary, from Pokemon to Paypal, be careful out there. Have a good day!

Thanks for reading and don’t forget to subscribe.

Breaking News: Company Fully Secured!

Status

Another day, another breach. Why don’t the good guys ever make the news?! Well, I decided to facetiously report on a company that has done the impossible. Prepare for corniness…

Breaking news: Security is not a journey, it’s the destination!

Today I’m excited to tell you about a company, Foolery Jewelry, that has dedicated their efforts and finances to completely eliminate all cyber security risk. It was not a simple undertaking, but they thought outside the box and were successful. They have redefined defense-in-depth as we know it. Here’s how they did it.

Wooden-Mallet-15555-large

  1. Security Awareness Training – After realizing that traditional methods were only partially effective, a home-grown user education package was developed. The concept was a simple twist on Pavlovian reconditioning. Every time an user clicked on a link in their email or opened an attachment without first verifying the source, a large rubber mallet extended from behind the user’s monitor and gently whacked the user on the head. This was quite effective for a time, but the users adapted and began to wear bike helmets to work so they could still view funny cat memes between placing incoming jewelry orders. Another layer was needed!                                                                                                                                                clip-art-mouse-697991
  2. Host-based Intrusion Prevention System (HIPS) – Although progress was made with the security awareness training program, it was clear that additional measures were required. To discourage clicking altogether, computer mice were replaced with actual mice. The amount of mallet hits plummeted, malware infections decreased and the company enjoyed an unexpected side effect. Namely, worker productivity spiked and sales doubled. Other large companies were quick to follow suit. In other news, Facebook’s stock took a nose dive. However, this method also was limited in effectiveness as workstations were gradually replaced by tablets, phones and other touchscreen devices that no longer required an archaic pointing device.                                                                               no-global-internet-2400px
  3. Next, Next Generation Firewall – Layers one and two certainly helped, but it became clear that a next generation firewall was required. I’m not talking about a Palo Alto or CheckPoint NGFW. Foolerly Jewlery made a seemingly drastic decision and air-gapped their entire network. Internet connectivity was completely eliminated. As it turned out, only a very small group of their employees required internet connectivity to do their job. Those individuals were fired and investors cheered because costs were reduced with no reduction in profit.

    https://foswiki.org/Community/WikiWatch

  4. The No Network, Network – With no connection to the outside world, it seemed as if their company was fully secured. That’s when things got interesting. An employee found a USB stick outside in the parking lot labeled as “Layoff Plan.” They secretly plugged it in and not-so-secretly infected their computer. That computer then infected other computers and it seemed as if all their security measures failed. It was time to kick things up an notch. Every computer was disconnected from the network altogether. USB ports were filled in with rubber cement, network cards were uninstalled, and network cables were cut. Stand alone workstations were used to fill out spreadsheets and each worker essentially ran their own mini-instance of Foolery Jewelry. This was a new business model for Wall Street, progressively referred to as the “micro-business island computing model” and sales continued to grow. Captains of industry applauded the model and even Amazon vowed that by 2020, they would convert their business to a network-free ecommerce platform. Gartner couldn’t explain what that meant, but they created a new magic quadrant none-the-less for a new vertical of technology offerings called “Network-free Networking (NFN).” Marketing teams quickly replaced all references to SDN with NFN and the cold calling began.

    Faraday-Cage-transparent

    http://www.herzan.com/products/electromagnetic-interference-isolation/faraday-cages.html

  5. Wireless Prevention Cube – There was still concern about employees introducing unauthorized hostpots using the iPhone 14 SE Plus 2 Android Edition wireless hotspot feature. The decision was made to wrap every cubicle in a Faraday cage, with no door or entrance that an employee could unwittingly leave cracked open. No leakage in or out. Strangely, sales came to a screeching halt as employees arrived to work and with no access to their cubicle, had no choice but to spend the day eating bagels in the break room.

Foolery Jewelry reached their cyber security goals, and fully secured their company. Unfortunately, they also destroyed their company. This was supposed to be a good news article. Oops.

Is your security road map similar? The reality is that security can not be purchased or deployed. It has to be managed. There is no way to eliminate risk or fully secure any piece of technology. But thought should be put into how and what we are trying to secure. Listen to vendors, but don’t do everything they say. Right now there is a security-vendor bubble in the works. Every start-up has Wall Street behind it, and of course they have the answer on how to fully-secure your company. Impossible! Nonetheless, when the bubble bursts, there will be many new security companies still standing and many others that no longer exist. Not to mention the many victimized companies that will fall along the way after investing heavily in these solutions, but still suffering a major breach. Foolery Jewelry is one company who just didn’t make it. Will yours?

What’s your favorite security-related magic quadrant? CASB? NGFW? Let us know in the comments below.

Thanks for reading and don’t forget to subscribe!

Quoted by CSOOnline: Keeping your kids safe along with your network

One of my comments regarding BYOD was quoted in an online slideshow on CSO Online. My comment is on slide 3. Pretty cool! It’s an interesting and concise article on a complex topic. I’m not just saying that because I was quoted…

Keeping your kids safe along with your network

The article’s author, Josh Fruhlinger, has a bunch of similar slideshow formatted articles on various topics. Be sure to check those out as well.

Thanks for reading and don’t forget to subscribe.

No Longer Unsolved Mysteries: Kevin Poulsen

I had the opportunity to hear Kevin Poulsen speak recently and it was a real treat. Kevin is a recovered black hat, now working as a writer and journalist. I hereby pronounce his book mandatory reading for anyone working in cyber security.

Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground

It’s a great read and beyond the entertainment factor, it gives tremendous insight into how stolen credit cards have evolved from being just an edgy hobby into big, very big, business.

In the talk I attended, Kevin gave his own story and even showed us a clip of himself, troubled and devious youth hacker, as depicted on Unsolved Mysteries. But the heart of his talk summarized the story told in his book, Kingpin. This book tells the story of since captured hacker, Max Butler, who in his own mind had only the purest intentions. Hack the hackers and make money along the way. That slippery slope ended abruptly and Kevin does a terrific job of capturing the facts and the personalities involved, which are often overlooked when simply reading the headlines. Another version of his talk was recorded at Stanford Law School when he gave it in 2011. Check it out here:

After the talk, I asked him if he agreed with most security analysts who predict that criminal hacking focus will shift from stolen credit cards to medical records. He replied, in part, “I’m not convinced yet.”

KevinP_MattN

He explained in his talk that although chip and pin/sig will not stop all credit card theft, it will hamper the appeal and availability of large payloads we have seen in recent years.

Whether the focus shifts or not, one thing is for sure…bad guys are good at multitasking.

What do you think the next big thing will be? Let me know it in the comments below.

Thanks for reading and don’t forget to subscribe.

 

Free Full Shodan.io Membership For EDU Users

The dark side is strong, but the force has awakened <gratuitous Star Wars reference>. Jedi knight and security analyst, Eric Johnfelt, stumbled upon a find that we feel is worth shouting from the proverbial rooftops. Shodan.io, for those that don’t know, is like a search engine for internet-connected systems. Shodan allows you to quickly see what systems and applications are exposed to the internet within your network range. It finds more than just servers, but I will let you explore the other features on your own.

I know what you’re thinking. “Cool! The good guys can check their own network ranges and see if something is inadvertently exposed to the internet!”

To that I say, “Correct! And guess what? The bad guys can check your network ranges and see if something is inadvertently exposed to the internet!”

But, alas! All is not lost thanks to Shodan’s owner, John Matherly. The good guys have the upper hand for a change. He is willing to upgrade any EDU user to a full account for free! As in, $0 instead of $49. Plus, it includes an API plan that normally costs $99+ a month! This is not a brand new offer, but certainly worth mentioning for those of us who didn’t know this previously. It includes the following:

– All add-ons (HTTPS, Telnet, view up to 10,000 search results)
– 100 Export Credits
– Improved API plan (access to up to 20 million results/ month)
– Shodan Maps (https://maps.shodan.io)
– Shodan Images (https://images.shodan.io)
– Free access to the Complete Guide to Shodan book

When I asked him why he is offering this deal, he revealed that he used to work at a University before starting Shodan, and “…it was a pain to get funding for anything!” I can’t imagine what he means by that <insert sarcastic grin here>. To take advantage of this offer, sign up for a free account and then send an email to support@shodan.io from your EDU email address and tell them what your username is.

In any case, thanks to John and the Shodan crew for making this awesome tool free for EDU folks! One word of caution, though. Use Shodan responsibly and do not abuse your newly granted power. Don’t allow the dark side to seduce you. If you visit any of the discovered devices without authorization, you could be breaking the law.

May the force be with you.

https://flic.kr/p/7zLt8y

https://flic.kr/p/7zLt8y – Public Domain

Have you used Shodan before? In what ways have you found it useful? Let me know in the comments below.

Thanks for reading and don’t forget to subscribe.

The Not-So-Secret Windows Command You Don’t Know About

As I dive deeper into the world of cyber, I tend to quote my father about once a week, “If I knew then the things I know now!” I have been trying to share some of these worst kept secrets from time to time and here’s another one. A single tool that I can’t believe I lived without for so many years.

The tool’s name is…drumroll please…

WMIC.

If you already know about it, awesome. You’re legit. If not, learn about it right now and start to think about how you can use it. WMIC can query just about anything about your system and tell you what’s really going on.

Two commands in particular you should commit to memory right now:

wmic startup list full | more will show you every process that runs at startup. Hugely valuable for finding evil processes or even just troubleshooting performance.

wmic process list full | more is like task manager on steroids. And this command is a kernel-level command, so evil processes have to work harder to hide from it. There is one portion of this output that is just priceless. Look closely and notice the line “ParentProcessID.” It actually identities what process spawned each subsequent process. So, if you are suspicious about a particular process and find out that the parent process id is iexplore.exe, you might be on to something. Or maybe you find that the parent process id is explorer.exe, then it’s probably something you double clicked…DOH!

wmic command

And YES, wmic can be used to query computers across the wire, just use the /node:%computername% switch. Wmic is extremely powerful and its usefulness is only limited by your imagination. But step one is knowing it exists! Now you can proceed to step 2.

The SANS Windows Commandline Cheat Sheet gives some more detail about this command and several others. Be sure to check it out.

What other commands do you know about that are under utilized or desperately in need of some more attention? Let us know in the comments below.

Thanks for reading and don’t forget to subscribe.

SANS SEC504 (GCIH) Review

There was one problem with this class…I didn’t want it to end. 6 days long and two months of supplemental studying only whet my appetite for what SANS has to offer. SANS SEC504 (GCIH) was the perfect sequel to the SANS SEC401 (GSEC) course I took over a year ago. In similar fashion you cover one book per day, but the books are only “yay” thick (a welcome reduction compared to 401):

picture of book thickness compared to pencil

Let me give you 5 reasons why this course is a must-do for any security professional.

1) John Strand: He took over authorship for this class from Ed Skoudis (his virtual big brother) and to say John has done the class justice is an understatement. He shares many firsthand experiences and even some tools in this course that were built by his own company, Black Hills Information Security (BHIS). For instance, on day 5 you get to “infect” yourself with a command and control bot that calls home using a common HTTP parameter. It’s amazing to see things from the perspective of a “bot herder” and to leave the course with a way to test your NGFW, IDS and maybe even your MSSP. Plus, he throws in there a bunch of little tidbits that are not part of the actual cirriculum. Thanks, John.

2) MP3s of the course: John was not the in-person instructor when I took this course, Kevin Fiscus was. Fortunately, Kevin understood the material about as good as anyone in the world, aside from the actual authors. However, the beautiful thing about every SANS course is that a week after it concludes, you’re provided MP3 audio files of a previous class. In this case, it was a session that John Strand taught. A quick download allowed me to listen to the course during my daily commute. In other words…two instructors for the price of one!

3) Incident Response Phases: Day 1 was our foundational day which sets the table for the following 5 days of intense instruction. By the conclusion of the course, you will be uttering the 6 stages of Incident Response in your sleep…Preparation, Identification, zzzzzz, Containment, Eradication, Recovery, Lessons Learned…zzzzzzzzzzzzz. The ZZZ’s are not there because it’s boring, but because after each and every threat you review during the week you then commence to review how to identify such an attack, prepare for it, contain it and eradicate it. Over and over again that formula is followed. Really awesome approach and a great way to learn.

4) Netcat Relays, Buffer Overflows and Format String Attacks: Day 3 was the most technically intense day of all and filled in a lot of gaps for me, and created some new ones. You will go to bed this night with a headache and wake up with a newfound respect for the tools that make complex attacks trivial to carry out today.

5) Day 6 Capture The Flag (CTF): If you’ve never participated in a capture the flag competition, this is the perfect way to start. You break up into teams and use many of the skills you have acquired throughout the week. So not only do you spend most of the week thinking like a bad guy, you then get to BE a bad guy and break into actual systems in a lab environment. As Kevin Fiscus said, “Don’t overhack this, guys!” Throughout the week you are given many “hints” and even if you are used to CTF competitions, you will learn a lot and realize that sometimes the easiest way in is through the front door…no backdoors required. But you’ll know how to create those too if you so choose.

I don’t want to make days 2 and 4 feel bad, those are great too. The bottom line is that offense should inform the defense and this course helps you to take a close look at the offense. This is not a penetration testing course, but you do walk the line throughout it with the goal of identifying and defending against common practices used by hackers today. Yes, you also look at some tools that they use, but understanding why they use such tools and how they work is more important. The course has a defensive theme woven throughout.

A pass on the exam is very achievable. Like every SANS course, it is open book. The questions are mostly straightforward, but a few of them were kind of sneaky. Others make you interpret screenshots and identify the type of attack you are dealing with. There were quite a few on my exam about the actual IR process and what steps should be taken within each phase. If you prepare well, you don’t have to worry about passing of failing. It’s more a matter of how well you will do. If you’re not in the GIAC Advisory Board, make it a goal to get 90 or better on this exam so you can  join the party. It is worth the effort. This was my second SANS course and my equation for success was the same: 1) Attend the course (online or in-person) and do all the labs while you’re there. 2) Listen to the MP3’s in your car. 3) Read each book, highlight key phrases and create a detailed index.

For this course, my index was 18 pages long and 821 lines. It is essentially an excel spreadsheet with 4 columns: Keyword/Subject, Book, Page, Summary/Info. I added several SANS cheat sheets to the back for reference and had the whole thing spiral bound at Staples for $5. Here’s a picture of mine, mostly blurred, so please don’t ask me to send you a copy:

GCIH Index Picture

One change I would suggest to SANS is to spend a little bit more time on identifying intrusion remnants on Linux computers. It is covered, but not to the extent I would have preferred. Don’t get me wrong, the 6 days were jam packed, so I’m sure the authors had to make some decisions along the way in terms of content. For instance, there was a lab on day one that walked you through looking for signs of intrusion on a Windows box. The equivalent steps were covered for Linux in the appendix, so I was able to go through that but on my own time. Memory analysis is covered in two different labs, which focused on the memory dump from a Windows machine. This is clearly the most common scenario most students will face, but in my environment there are a large number of Linux computers to deal with too. Fortunately, the skills I learned can be extended to Linux with a couple of quick Google searches.

Major Takeaways: Defend your user accounts because when the bad guys have valid credentials on your network, YOU ARE IN TROUBLE. If you can’t detect an insider, you can’t detect stolen credentials. Stop trying to be a hacker. Be a security professional. Treat your internal network like it’s hostile…because it is.

Oh, one more thing…YOU’RE WELCOME.

Did you take this course or another SANS course? Tell us about it in the comments below.

Thanks for reading and don’t forget to subscribe.