SANS SEC401 Course Review

I recently completed the SANS SEC401 Security Essentials Bootcamp course via an online on-demand webcast.  If taken in person, this course runs 9 AM to 7 PM for six days…hence the “bootcamp” label.  With the on-demand format, you have the added privilege of viewing the lecture content at your own pace over a four month period.

If I can summarize the course in one word it would be, “AWESOME.”  The writer and instructor of the course is Dr. Eric Cole, a fellow of the SANS Institute.  His enthusiasm is contagious and he made approximately 50 hours of lecture content fly by in what felt like a mere 49 hours.  That is no simple feat considering the content.  Each day is dedicated to a particular topic:  Day 1:  Networking Concepts, Day 2:  Defense In-Depth, Day 3:  Internet Security Technologies, Day 4:  Secure Communications, Day 5:  Windows Security, Day 6:  Unix/Linux Security.  Oh, and there is a corresponding book for each day…

SANS GSEC401 Text Books

SANS GSEC401 Text Books

I read every word and went the extra measure of creating an index for all 6 volumes, which SANS intentionally neglects to include to encourage “Learning.”  I followed the advise posted by this fellow SANS trainee so I won’t bother going into detail.  My index looks eerily similar to his and I found his blog posting very useful.  In total it is 28 pages long.

 

What I especially loved about this course is that Dr. Cole added so much real world context to the material.  The course differs from the “textbook” model of teaching, and as far as I’m concerned, this should be a requirement for all security courses.  Textbook and real world are often misaligned.  The content addressed these challenges head on.  On the other hand, examples were provided of when textbook recommendations have been ignored and at what cost.  For example, he talked about a scenario where an adversary breached a very large network.  One of the well meaning administrators sent a message over email in reference to cleaning up the breach.  Oops…they never had a chance because the adversary read the email and inflicted as much damage as possible by Monday.  This highlights the importance of out of band communication in the event of an incident.

There was also tons of hands on labs and practical content.  I spent the time doing every lab and had the opportunity to play with tools like tcpdump and even messed around with stego crypto.  It was kind of fun hiding a secret message to my wife within a jpg picture of our kids.  Hands on training is a simple, but powerful learning technique and SANS makes good use of this as part of their curriculum.

Compared to the CISSP content, which I consumed 6+ months ago by means of a self-study program,  I found there to be some overlap.  More often than not, the SANS training looked at hands-on topics more granularly, but areas of theory were covered in more detail within the CISSP courseware.  For example, the Bell-Lapadula model was briefly mentioned in SEC401, but explained in further detail by the CISSP.  Overall, I am happy in the order that I pursued these credentials, but they could have been tackled in reverse order just the same!

This class truly was a bootcamp and for that reason I did appreciate the ability to go through the material at my own pace.  In some regards, though, I think doing so is prolonging the pain, er, I mean, extending the fun.  There is something to be said for battening down the hatches and going off-grid for 6 long days versus trying to steal 6 long days from your normal schedule.  Some other courses which are more lab intensive and collaborative, would not be as good if taken in this format.

SANS offers endless training opportunities and there is a case to be made for all IT employees to take some of their training.  For example, they have an entire course that focuses on Windows Security.  There’s another that focuses on Unix SecuritySecure Web Development?  They got that.  Let’s not forget Network Security…  The list goes on and on.  These courses are not just for security analysts.  They are for IT professionals who want to accomplish their job in a secure manner and I highly recommend them to all IT administrators.  Perhaps one person from each department could attend one SANS course per year?  Wishful thinking perhaps, but it would be a great investment and in line with our core values here at DoIT.

We will actively hire great people, develop the growth of our staff, promote a diversity of voices, and support our staff.”

I will be taking the associated GIAC GSEC exam within the next week for the sake of putting a rubber stamp on this experience.  However, it’s really all about the journey, not the destination!

Some food for thought from the course:

1) Prevention is ideal.  Detection is a must.

2)  What is the risk?  Is it the highest priority risk?  Is it the most cost effective way to mitigate the risk?

3)  TCP/IP and TCPDUMP Cheat Sheet

4)  SANS Windows Tools and Scripts Download

5)  Baseline your systems while they are healthy by, at a minimum, documenting running processes, listening ports, existing users (especially admin and root level access UID 0) and admin group membership.

Rating:  Excellent – I’d pay my own way … okay, not really, but that’s how much I liked it.

Thanks for reading and don’t forget to subscribe!

Have You Been Bluesnarfed?

I recently became aware of a couple of scams that can significantly hurt your wallet because the end result is a bunch of unauthorized, but legitimate (from the phone company’s perspective) charges on your cell phone bill.  The prevention of these scams is extremely simple and non-technical.

Scam 1:  A scammer hacks into the Bluetooth connection coming from your phone and downloads your entire address book.  They then add a 1-900 premium relay number as a prefix to each of the stored phone numbers in your address book and uploads the modified contacts back to your phone…all in the matter of seconds.

The result?  You call Mom, and your phone simply displays “Calling Mom.”  What’s really happening is that your phone call to Mom is being relayed through a 1-900 premium pay-per-minute “service” and you owe the phone company thousands of dollars by the end of the month.  You’ve been bluesnarfed!

Prevention:  Call your cell phone company and disallow premium phone calls.

Scam 2:  A scammer sits in the back of a crowded movie theater and hacks into your cell phone via Bluetooth while it is tucked safely away in a purse or pocket as to not disturb others.  A second scammer sits outside and sells reduced cost minutes to a crowd of international visitors who would like to speak to their family.  Unbeknownst to you, they are doing so via your cell phone.

The result?  You owe the phone company big for almost 2 hours of international phone calls.

Prevention:  Call your cell phone company and disallow international phone calls.

I took the preventive steps listed and although the customer service rep at my cell phone carrier initially told me it was not possible, after I pushed them they “figured out” how to disable international and premium outbound phone calls on my line.  Although newer phones make these scams harder to execute, the increased range of Bluetooth makes your “attacker” radius larger than ever before.  Besides, it was a 15 minute phone call and may have saved me thousands of dollars.  I hope you take the same precaution!

Some other general recommendations regarding Bluetooth security:

  1. Turn off discovery mode when not actively pairing a device.
  2. Reset default Bluetooth pins to be longer and unique.
  3. Turn off Bluetooth when not in use.
  4. Only pair devices in trusted and non-crowded locations.

Thanks for reading and don’t forget to subscribe!

Big Data: Somebody’s Watching You…

It seems as if privacy advocates are starting to get some momentum lately.  There are countless headlines regarding privacy and the missing ability to opt-out of big data collection efforts.  CNN covered this issue in an episode of Inside Man recently.

One marketing company, Acxiom, has decided to publish a website that allows you to review a summary of the data they have collected about you.  That is so nice of Big Data, isn’t it?  I thought so.  However, there are a few caveats worth mentioning.

I went through the process and I couldn’t help but find it questionable.  In order to review the personal data about me they have accumulated, I had to provide a ton of personal information.  You know…to “verify” that the data I am requesting is actually mine.  I think that process makes a lot of sense, Big Data, if you weren’t already selling it to strangers.  Call me a skeptic if you wish, but it kind of makes me question whether or not there are ulterior motives, in addition to your never ending desire to be nice to me.  Am I just giving more personal information to a company who wants my personal information?  What are you up to, Big Data?

I must say that the website is aesthetically pleasing and the report output is definitely interesting.  It does give you some insight into the information marketers have and want about you.  The data about me was inaccurate in some cases.  Don’t worry, though!  Big Data gives you an opportunity to correct information that is not accurate so marketers can better target you.  Thanks?

This website also allows you to opt-out…if you provide all variations of your name, email addresses, phone numbers and mailing addresses.  Uhhhhh….don’t you know that information already, Big Data?

Last, but not least, the data presented is done so at a very high level.  I’m sorry, but there is just no chance that this is all the information a big data company has collected about me.  It is just impossible.  Either this company is a weak one, or they are giving you just the information they feel you need to review.  I’m not so sure you are being forthcoming with me, Big Data.

It is still an interesting exercise.  Check it out if you dare!

Thanks for reading and don’t forget to subscribe!

 

What Does a Security Guy Do to Protect His Own Computer?

It is not uncommon for someone to ask me what I do to keep my computer safe.  I can’t list everything here, but I will list some of the basic things I do and don’t do, to keep my workstation unhacked (not-a-word).  Some of this stuff is unexciting, but needs to be mentioned regardless.

  • I roll up my car window when driving through a dangerous neighborhood, commonly referred to as the Internet.  More specifically, I do not allow scripts to run on my browser without authorization.

The Internet is a very dangerous place.  If you were driving through a bad neighborhood, would you lock your door and roll up your windows?  Unless you are looking for trouble, it would probably be a good idea.  Hackers describe your Internet clouds-through-window-framebrowser as a window into your computer.  They love your browser.  We could spend a long time discussing browser security and best practices, but if I had to pick one thing to recommend, it would be this.  Do not allow scripts to run by default.  Scripts are basically little programs that give every website the awesome functionality we are all looking for.  More often than not, you have to allow the scripts on a webpage to run for it to work properly.  Unfortunately, the bad guys know this too and they use scripts to execute a wide range of attacks.  If you are a Firefox user, install NoScript.  I mostly use Chrome so I am using an extension called NotScripts.  I’m also using Vanilla Cookie Manager, HTTPS Everywhere and Adblock Plus for additional protection.  WOT is worth mentioning too.  I still use IE, but only for trusted websites.

  • I never login to do day to day work as a local administrator.  Never.  Sometimes?  NEVER!

I am going to use an overly dramatic illustration to drive this point home.  SANS expert Dr. Eric Cole categorizes surfing the Internet and checking e-mail as two of the most dangerous actions in the world.  Outside of cyber, perhaps bungee jumping would also be considered pretty dangerous.  Would you go bungee jumping without any safety precautions?  Would you detach your bungee cord because you find it to be too restrictive or inconvenient?  Of course not.  You know that bungee jumping with all the precautions in place is still high risk.

bungee-jumping-1

The same is true of checking your e-mail and surfing the web.  If I didn’t need admin access to my computer, I would gladly give it up.  It is no great privilege.  Since I do need it to effectively do my job, I logon to my computer as a standard user and if something I am doing requires admin access, I use run as functionality or temporarily login as my local admin account to do that particular task.  Keep the bungee cord attached!

  • I always install antivirus, enable a local host firewall and set patches to automatically install.  AlwaysBut I have a Mac…ALWAYS.  But…ALWAYS!

I won’t relaunch into my bungee cord illustration, but you get the point.  Every OS is  equally deficient.  Personal sentiments aside, there is no one software vendor less vulnerable than another.  In fact, security experts analyzed which OS has the most vulnerabilities and they found that the vulnerability count for every OS is within 2% of one another.  Security decisions must be data driven.  It’s true that some operating systems are more targeted than others, but that detail should not make you feel safe.  Perhaps you’ve noticed that more people today are using Macs.  The bad guys know that too.

  • I use a password manager so that I can maintain separate passwords for each of my accounts.

For the time being I am using Dashlane.  It fills my needs.  There are some other ones out there that are equally great if not better (Lastpass, 1password, yada yada yada).  Basically, password managers allow you to digitally write down every username and password you have and encrypt them using one master password.  They also can generate secure passwords for you so your other accounts are adequately protected.  You can see that there is a tradeoff here.  If that one master password is weak or gets compromised, you are in trouble.  Still, you are much better off if all your passwords are unique and secure.  The Heartbleed vulnerablility proves that point. heartbleed

The biggest factor for me in choosing a password manager is whether or not the company stores your master password anywhere.  Actually, that master password works as your decryption key to your encrypted password list stored within the password locknkeymanager software.  Encryption is the commonly likened to the lock on your door and your master password is the key.  If the encrypted data and the key is stored together, it would be akin to taping your house key to the front door of your house.  Sadly, that is not rare.  Dashlane says they do not store it at all so if they were breached, the adversary would only get a worthless chunk of encrypted data rather than my password list.  Also, if you forget your master password, it is gone forever.  So are the many passwords protected by it.

An additional benefited was noted by one hacker during a Defcon conference.  One of his targets was inadvertently protected against a keylogger that the hacker deployed.  Why?  The password manager the target used came with an auto login feature, so there were no key presses to log.  Pretty cool!

My fingers are tired and I think I shared enough to keep you busy for a while.  What steps do you take to secure your computer?  Let us know in the comments below.

Thanks for reading and don’t forget to subscribe.

Windows Admins: Find Evil

Quote

This is a great point of reference for Windows Administrators trying to determine if a process or service is legitimate.  I think this is worth sharing because as a Windows Admin, I googled csrss.exe more times than I’d like to admit.  Enjoy!

“In an intrusion case, spotting
the difference between
abnormal and normal is
often the difference between
success and failure. Your
mission is to quickly identify
suspicious artifacts in order
to verify potential intrusions.
Use the information below
as a reference for locating
anomalies that could reveal
the actions of an attacker.”

Download it HERE.

Thanks for reading and don’t forget to subscribe!

PSA regarding TMI

The day I passed my driver’s test, my father sat me down to chat.  He lovingly reminded me that if driven responsibly, a car would prove to be a valuable tool.  If driven recklessly, it could instantly transform in to a 3000 pound bullet.

Is this post really about driving your car safely?  No.  However, the concept applies to using the internet responsibly.  Social networking is a valuable tool and a big part of our daily lives, both socially and professionally.  However, posting without discretion can put ourselves and others in danger from Internet hooligans.  Check out the below infographic for some loving reminders.How-Too-Much-Information-Shared-Through-Social-Media-Can-Really-Hurt-You-InfographicThank you for tuning in to this public service announcement (PSA) regarding too much information (TMI).

So, what do you do to stay safe while using a particular social networking site?  Post a comment below.

Thanks for reading and don’t forget to subscribe!

Seedy Software Removal CD

Malware is becoming almost impossible to clean.  Seriously.  If a computer has been infected, it almost always requires a hard drive wipe and OS reinstall.  That’s how advanced malware is today.  It’s not uncommon for a computer to “look” perfectly clean while it is secretly “talking” to Eastern Europe and China…a high tech Chatty Cathy of sorts!  Sorry to disappoint the antique toy fans, but that will be my last Chatty Cathy reference.

https://blogs.technet.com/b/security/archive/2012/09/19/microsoft-s-free-security-tools-windows-defender-offline.aspx

https://blogs.technet.com/b/security/archive/2012/09/19/microsoft-s-free-security-tools-windows-defender-offline.aspx

In some rare cases it’s possible to clean a computer that’s infected, but your best chance of doing so successfully would require running a scan on the infected hard drive from an alternate, uninfected computer.  For this reason, I have been looking for a bootable CD with an anti-malware engine on it to attempt this process without the extra step of pulling the hard drive and accessing it from a clean computer (which by the way puts the clean computer in harm’s way and is not recommended).

I tried using the Symantec Endpoint Recovery Tool (SERT) and I have no doubt that it can work, but I ran into some challenges.  For instance, the signature file had to be downloaded separately and imported by the AV engine.  Sure, the concept makes sense.  Why bother creating a new cd with new signatures every time you want to run it?  Instead, just download the latest signatures and keep using the same disc.  However, the process was not straightforward.  For simplicities sake, I would rather just download an updated boot CD every so often with updated signatures embedded.  This may not be a good solution if you are a technician cleaning computers daily, but for the majority of us it would not be much of a hassle to do this a few times per year or even once a month.

Microsoft offers one such solution for Windows computers and it’s FREE.  I used it myself and it was easy and effective.  If you create a bootable USB drive instead of a CD, there is an option to update the signatures similar to Symantec’s offering.  However, I opted to create a bootable CD which was extremely straight forward.  Besides, if you store anti-malware tools on a USB stick you run the risk of the writeable USB stick getting infected while trying to quiet down Chatty Cathy (oops).  I would much rather just download a new copy of the CD whenever needed.

I plan on running this every month or so just to see if it finds anything on my primary work computer.  It’s so easy to do, why not?

Microsoft Security Blog: Windows Defender Offline

Do you have any favorite malware tools we should know about?  Share it with us in the comments below.

Thanks for reading and don’t forget to subscribe!

Target Practice – Lessons Learned from the Target Breach

If you type “Target Breach” into a search engine you will get a plethora of articles discussing why, how, and what we should do about it.  I can’t fight my inclination to chime in on the discussion.  What should our takeaways be?  I’ve narrowed it down to three.

1)  What was really stolen?  Credentials!

How did the bad guys access Target’s extensive point of sale system?  Evidence indicates that they harvested stolen credentials from an employee of Target’s HVAC company.  Let me say that another way… The heating and a/c company had an account with basic access to Target’s IT systems (similar to a NetID in SB lingo) and using the stolen password they stole millions of credit cards.  Is that surprising?  Not really.  This type of attack is called “privilege escalation.”  Once someone has basic rights to a system, they can then start looking for holes and hop around an internal network until they find another step higher on the staircase to heaven, or in this case, credit card number bliss.

It may also sound intimidating to think that they “harvested” his credentials.  All that really means is that they probably sent the HVAC company a phishing email with a link to a phony website.  We get those almost every day.  Most people would be surprised to learn that there is step by step documentation on how to to launch this type of an attack.  You don’t have to be an experienced hacker to do it.  In fact, the easiest way to do so is using something called the “Social Engineering Toolkit.”  It is literally a menu driven program that can be used to create a phishing website and send out e-mails to get someone to visit your fake site.  No HTML or programming skills needed.  Notice the screenshots below to get an idea on what it takes to setup a basic phishing website.

Hacker says to himself, “Hmmmmm, what should I do today.  Let’s go with social engineering!  That is clearly choice number 1!”

1

“Phishing…no not right now.  Mass Mailer…nah.  Ooh let’s see what is behind door number 2, Website Attack Vectors!”

2

“If there is one thing I’m missing it’s someone else’s credentials!  I will choose credential harvester,” logically states the credential starved hacker.

3

“I love how this tool has the ability to clone an existing site.  However, I think I will take a quick look at the built-in templates,” thinks the efficient hacker.

4

“YES!  There is an existing template for Gmail!  This is shaping up to be a wonderful day.  As it turns out, many of the organizations I am interested in uses Gmail.  I will pick choice number 2,” concludes the hacker.

6

“Hello trusting academic professional.  Please click on this link and login to Gmail,” snickers the excited hacker as he sends out his email.  “I sure hope they don’t notice the strange address in the address bar…”

6

Behind the scenes, this is what our hacker is seeing…credentials successfully harvested!

7

Admittedly, this is not the whole story especially not when it comes to what happened in Target’s case, but this should give you an idea of how accessible launching a phishing campaign is to the black, white and grey hat hacker community.

The lesson here is simply to use strong passwords, change them regularly and use discernment when reading emails and clicking on links.

2)  Regulatory compliance (PCI) is a MINIMUM standard.

Target is PCI compliant.  In this case, regulatory compliance did not protect the data it was intended to protect.  Does that mean PCI is worthless?  Not by a long shot.  PCI is a minimum standard.  No standard will ever successfully prevent every possible breach.  I still believe it is a valuable baseline and compliance will prevent a wide range of credit card fraud.  However, being PCI compliant is not enough.  For example, regulatory compliance will never be able to secure the human element of security.  All the PCI compliance in the world would not prevent someone from the janitorial staff (out of PCI scope for all intents and purposes) from giving away their credentials.  With that said, layers of protection are critical.  Never should we assume that data is safe inside the perimeter.  Defense in depth portrays important data like the core of an onion, protected by many layers along the way.  Each layer can and will fail at times, but they would all have to fail for a breach to be successful.

http://technet.microsoft.com/en-us/library/cc512681.aspx

http://technet.microsoft.com/en-us/library/cc512681.aspx

3)  Shop with a Credit Card

I hate using credit cards because I, ahem, “forget” to pay them in full.  For that reason I started using my debit card everywhere, including random gas pumps, 7-11’s, obscure websites and even at Target and Michaels.  I’m exaggerating slightly, but the point is that if the money is taken from your bank account it’s harder to get it back.  Sometimes it’s impossible.  Use a credit card and take advantage of the fraud protection Visa, MasterCard and others offer.  At worst you will lose $50.00 if you report fraudulent charges promptly and most credit cards refund your account in full immediately upon receiving a report.

In summary, be aware of phishing attempts regardless of how small or large your role in an organization is.  Learn about regulatory compliance that affects your area of expertise and don’t just meet the standard, exceed it.  Finally, when spending your hard-earned money, spend someone else’s first by means of a credit card and then pay them off in full as fast as you spend.

We are a target.  We can’t change that.  However, we can determine how easy of a target we are willing to be.

Do you think there are other important lessons to be learned from the Target incident?  Post your comments below!

No Longer Needed? Delete it!

Another day, another breach…

There are several breaches involving Universities in the news this week.  The largest one claiming all the headlines at the moment is involving the University of Maryland.  However, I thought an important lesson can be learned from a smaller Texas college breach.

The details regarding how this breach occurred are relatively scarce.  However, the files containing student records were created in 2006 and 2008.  The creation date brings to the fore a simple action that could have significantly reduced the impact of this breach.  Delete files that no longer need to be retained!  I don’t have insight into whether or not these particular files were still required for any reason, but the point is well illustrated, isn’t it?

All too often files with sensitive information are created for a specific purpose and long after that purpose is fulfilled, the files are kept.  Of course, regulatory requirements sometimes require that we hold on to data for a specified period of time, but more often than not it is not necessary to keep that information in several formats indefinitely.

If it’s no longer needed, delete it! (or in the very least, archive it)

Texas College Server Breached (SC Magazine)

TSTC:  Unauthorized Server Access

 

Extra! Extra! Privacy for sale!

Data Privacy Month

Privacy is a keyword that has sold a lot of newspapers lately.  Why is that?  For starters, absolute privacy is more elusive than Peyton Manning trying to win a 2nd Super Bowl.  24-21 Seahawks, but I digress.

When discussing online and data privacy, responses can be generally summarized in to one of three statements:

“I don’t have anything to hide, anyway.”

or

“I don’t have any data anybody wants.”

or

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

There is some truth to all of those statements.  However, let me respond one by one…

“I don’t have anything to hide, anyway.”

Hopefully, that is true!  I would put myself in that category.  However, not having anything to hide is not the same as, “please document all of my likes, dislikes, medical conditions and internet searches.”  The power of big data is amazing.  It’s hard to imagine what a single search provider can deduce from your search history.  Add your social media activity and GPS coordinates from smartphone snapped photos to the mix and it would be a mundane task to predict where you are going to have lunch…next Wednesday….before you even know.  So, what’s the harm in that?  Well, like anything else there is no harm if that information is not abused.  However, the idea of so much personal information logged on a server somewhere in cyberspace can make anyone a little bit uncomfortable when you start to give it some thought.  After all, these companies exist to make money and your information is the product they are selling.  If someone was following you, your children and your “friends” around with a pen and pad, from a safe distance of course, jotting down your schedule and any other details they could gather in plain sight, would you be OK with that? Unlikely.

Be aware of the fact that when you are logged into a social media account or search engine, your web traffic and internet searches are likely being logged and analyzed.  If you have a problem with that, remember to log out of all websites you logged into and clear your temp files before browsing the web.  Some individuals keep a separate browser for random searches and web traffic and another browser for logging into social media websites and the like.

“I don’t have anything anybody is interested in stealing.”

Actually, you do.  You have credit cards, a social security number and credentials to campus or corporate resources.  You may have access to intellectual property or research data.  You definitely have access to a computer.  Many of today’s attackers are more interested in computing power as much as anything else.  If they can turn your computer into a zombie and make it part of their apocalyptic cyber army, they are more powerful and more effective in getting what it is they’re ultimately after.  There have been countless cases of a computer sitting under the desk of a receptionist in an inconsequential office taking part in a cyber attack against a high value target.  So don’t subscribe to this faulty reasoning.  It’s just not true.

“The ‘Internets’ and NSA can read our minds!  Break out the aluminum foil.”

Well, this is not true as it stands today, but there is no telling what next week will bring.  Here’s the bottom line.  The climate of information security has changed from ‘trust but verify’ to ‘don’t trust and verify’.  Everything worth protecting needs to be protected.  What do I mean by that obscenely obvious statement?  Assuming something is safe or relying on security by obscurity is not going to cut it anymore.  Any data hitting the wire or the air via WiFi should be viewed as fair game for invited or uninvited onlookers to see.  Encryption for data at rest and data in transit is not an option; it’s a requirement.  Every website, product or software package you are investigating should support encryption.  Accept no less and assume your local network is already breached in some way.  It’s not paranoia.  It’s reality more often than anyone would like to admit.

Watch this short video for some important reminders.  It’s an oldie but goodie if you haven’t seen it before.