Interop NY 2014 In a Nutshell


interop-ny-logoThis week I attended Interop NY for 5 days and thought I would share some highlights from the week.  The daily commute was painful, but Javitz is only a brisk 15 minute walk from Penn Station and a pretty cool venue overall.

Day One:  The first day I attended an all day workshop consisting of an intro to web application penetration testing.  It was a nice review of some of the popular exploits today, and if you are responsible for writing or supporting a web app I would highly recommend you become familiar with the OWASP top 10.

hihackerHint:  If typing <script>alert(‘Hi Hacker’)</script> in an input box on your website produces a pop up box, be afraid.  Be very afraid… Some useful tools reviewed included sqlmap, Burp, and an awesome cross-site scripting checker called XSS-Me.

Day Two:  On the second day I attended another all day workshop which focused on components of a risk management program.  The preso was very well put together and the speaker made some interesting points.  For example, the cloud should be defined as anything out of our direct control. There is no such thing as a “best” practice. Refer to industry recommended practices instead. IT security is subset of Information Security which is a subset of Enterprise Risk Management.

Days 3-5:  Vendor Expo and Educational Sessions

20141001_102642-MOTION

The following day was the kickoff of the expo and began with the first of two keynotes.  The headliner was Seth Myers and he did a 30 minute stand-up with some technology jokes peppered throughout.  He shared a story about that one time he jumped on his friend’s computer and typed the first few words of a search and the terrifying search history of his friend appeared…AWKWARD. There were some other great keynote guests like a VP from CBS and HBO.  The founder of Gilt was there and the CTO from Obama’s campaign in 2012.  There were some others as well.  Overall, they had some very insightful comments prepared and even some non-orthodox ways of running their enterprises.  For example, Gilt makes changes to production every 15-30 minutes by breaking apart their website into hundreds of small applications managed by different groups.  Essentially, they are mimicking open source development within the enterprise.  Several company execs agreed that there is a major talent shortage and believe strongly in developing talent internally and keeping your employees content.

Throughout the keynotes and the 1 hour sessions over the next 3 days, I heard many technology buzz words absolutely destroyed.  Can I get an amen?!

  • Big Data is just data.  We need Big Answers.  – Harper Reed (Formally Obama 2012 CTO; Modest, Inc.)
  • Big Data is just business analytics with lipstick. – John Pironti (IP Architects, LLC.)
  • Cyber, Cyber, Cyber, Cyber, Cyber…stop it! – David Rhoades (Maven Security)
  • The cloud is just adding another data center that you don’t manage. – Elliot Glazer (Dunn and Bradstreet)

The vendors came out in DROVES.  I heard one vendor throwing around a new term I can imagine picking up speed, “encryption in-use.” The irony of it all is that one of the ongoing messages throughout the Information Security and Risk Management track was to stop buying “widgets” you will not make full use of before first making full use of the “widgets” you have.  With that said, the expo was a very effective way to get up to speed quickly on a wide range of vendor offerings.  Although, I think I will need a new work number because I have no doubt that it will be ringing off the hook from now on.  Good thing I registered with my CISO’s phone number instead of my own…

In addition to chatting with many vendors and sitting through several vendor specific presentations, below is a list of the sessions I attended.  Feel free to reach out if you want more information about any of them, but the slides from every presentation is available right HERE.

Session ID Title
830131 Hands-On Web Application Penetration Testing
829636 Acknowledge the Inevitable: How to Prepare For, Respond To, and Recover From a Security Incident
100001 Wednesday Keynotes
830310 A CISO’s Perspective: Friend or Foe? Effectively Managing Third Party Information Security Risks
830317 Emerging Tools and Trends in Hacking
830315 Cloudy with a Chance of Encryption
100004 Thursday Keynotes
830313 Next-Generation Firewalls: Results from the Lab
830314 The Threat Within: Managing Insider Risks and Building a Culture of Security
830311 What’s Next? Emerging Trends in Information Risk Management and Security
830316 Is Your Data Really Safe? A Security Checklist Everyone Must Implement
830318 Next Line of Defense: Internet of Things

Rating:  Fair – I’d go back for the keynotes and expo, but I felt like they were trying awfully hard to stretch a 2 day conference into a 5 day conference.

Thanks for reading and don’t forget to subscribe!

SANS SEC401 Course Review

I recently completed the SANS SEC401 Security Essentials Bootcamp course via an online on-demand webcast.  If taken in person, this course runs 9 AM to 7 PM for six days…hence the “bootcamp” label.  With the on-demand format, you have the added privilege of viewing the lecture content at your own pace over a four month period.

If I can summarize the course in one word it would be, “AWESOME.”  The writer and instructor of the course is Dr. Eric Cole, a fellow of the SANS Institute.  His enthusiasm is contagious and he made approximately 50 hours of lecture content fly by in what felt like a mere 49 hours.  That is no simple feat considering the content.  Each day is dedicated to a particular topic:  Day 1:  Networking Concepts, Day 2:  Defense In-Depth, Day 3:  Internet Security Technologies, Day 4:  Secure Communications, Day 5:  Windows Security, Day 6:  Unix/Linux Security.  Oh, and there is a corresponding book for each day…

SANS GSEC401 Text Books

SANS GSEC401 Text Books

I read every word and went the extra measure of creating an index for all 6 volumes, which SANS intentionally neglects to include to encourage “Learning.”  I followed the advise posted by this fellow SANS trainee so I won’t bother going into detail.  My index looks eerily similar to his and I found his blog posting very useful.  In total it is 28 pages long.

 

What I especially loved about this course is that Dr. Cole added so much real world context to the material.  The course differs from the “textbook” model of teaching, and as far as I’m concerned, this should be a requirement for all security courses.  Textbook and real world are often misaligned.  The content addressed these challenges head on.  On the other hand, examples were provided of when textbook recommendations have been ignored and at what cost.  For example, he talked about a scenario where an adversary breached a very large network.  One of the well meaning administrators sent a message over email in reference to cleaning up the breach.  Oops…they never had a chance because the adversary read the email and inflicted as much damage as possible by Monday.  This highlights the importance of out of band communication in the event of an incident.

There was also tons of hands on labs and practical content.  I spent the time doing every lab and had the opportunity to play with tools like tcpdump and even messed around with stego crypto.  It was kind of fun hiding a secret message to my wife within a jpg picture of our kids.  Hands on training is a simple, but powerful learning technique and SANS makes good use of this as part of their curriculum.

Compared to the CISSP content, which I consumed 6+ months ago by means of a self-study program,  I found there to be some overlap.  More often than not, the SANS training looked at hands-on topics more granularly, but areas of theory were covered in more detail within the CISSP courseware.  For example, the Bell-Lapadula model was briefly mentioned in SEC401, but explained in further detail by the CISSP.  Overall, I am happy in the order that I pursued these credentials, but they could have been tackled in reverse order just the same!

This class truly was a bootcamp and for that reason I did appreciate the ability to go through the material at my own pace.  In some regards, though, I think doing so is prolonging the pain, er, I mean, extending the fun.  There is something to be said for battening down the hatches and going off-grid for 6 long days versus trying to steal 6 long days from your normal schedule.  Some other courses which are more lab intensive and collaborative, would not be as good if taken in this format.

SANS offers endless training opportunities and there is a case to be made for all IT employees to take some of their training.  For example, they have an entire course that focuses on Windows Security.  There’s another that focuses on Unix SecuritySecure Web Development?  They got that.  Let’s not forget Network Security…  The list goes on and on.  These courses are not just for security analysts.  They are for IT professionals who want to accomplish their job in a secure manner and I highly recommend them to all IT administrators.  Perhaps one person from each department could attend one SANS course per year?  Wishful thinking perhaps, but it would be a great investment and in line with our core values here at DoIT.

We will actively hire great people, develop the growth of our staff, promote a diversity of voices, and support our staff.”

I will be taking the associated GIAC GSEC exam within the next week for the sake of putting a rubber stamp on this experience.  However, it’s really all about the journey, not the destination!

Some food for thought from the course:

1) Prevention is ideal.  Detection is a must.

2)  What is the risk?  Is it the highest priority risk?  Is it the most cost effective way to mitigate the risk?

3)  TCP/IP and TCPDUMP Cheat Sheet

4)  SANS Windows Tools and Scripts Download

5)  Baseline your systems while they are healthy by, at a minimum, documenting running processes, listening ports, existing users (especially admin and root level access UID 0) and admin group membership.

Rating:  Excellent – I’d pay my own way … okay, not really, but that’s how much I liked it.

Thanks for reading and don’t forget to subscribe!