the pwk (oscp) course take two, or where my free time has gone

Back in 2008 I signed up for the Pentesting with BackTrack course and Offensive Security Certified Professional exam put on by the folks at Offensive Security. I even blogged about enrolling and getting started on it. Just to put this into perspective, this was back in 2008…when BackTrack 3 was still in beta! I also have a 4 digit OS-ID number…old school!

As alluded to in those old posts, I ended up getting immediately swamped with unexpected work at the exact same time I signed up for the course. And while I was able to slowly consume the videos and PDF materials over small moments, I was never able to really get much going in the labs. I was pretty mentally spent in those days after work. My lab time expired with no exam attempt made.

But I’ve never wavered in my interest in the certification itself and in finishing the cert out.

So last year I renewed my course materials for a small upgrade fee, and near the end of February renewed my lab time.

I’ve had 20+ days in the labs out of 90 so far and have rooted 28 out of the 50-ish systems that exist. I’m pretty happy and stoked with the experience and learning that is happening this time around. And while I do like my progress, I still have plenty of room to grow. I need to get faster and more practiced with my process if I want to feel good going into the exam. I also have avoided some of the known harder systems in favor of “easier” wins and gradual escalation in difficulty. At least as much as I can with otherwise blindly picking targets. I’m at least happy that I’ve been able to make progress and not have to walk away from any targets yet due to lack of success; if I’ve targeted a system to take down, it has always eventually gone down.

I do have other sub-goals as well to accomplish during my 90 days of access that go beyond just preparing for the exam. I want to get every box in the labs down, and then I want to do them again with only minimal assistance from my past notes; I want to make sure I know the clues to look for, why they’re clues, why certain things work, and maybe even find new avenues of attack as many boxes have additional issues. I want to also run OpenVAS against as many as I can get credentials to, to see if I can find things I missed. I also want to make sure that I can run through as much of the labs as I can with Metasploit and without the automated tools. The exam will limit usage of automated tools, but the real world of pen testing will not, and I’d like to take advantage of the excellent lab environment while I have access to it.

So far it’s been a blast, and while things might slow as I hit harder systems, I hope to continue my success over the next few months!

central iowa security geeking out rundown

You’re moving to Iowa and you’re a security geek. Or you’re new to the profession and looking to get on with your career. Where do you go to hob-knob with your people? Here’s a quick 2017 rundown of what I know about the central Iowa/Des Moines security scene.

SecDSM – Probably the most informal of the groups here and stays vendor-neutral. Has a Slack that I’ve not visited. No registration, so just show up! Meetings are after working hours
ISSA – 4th monday of every month, meetings should usually be open to the public.
ISACA – third Tuesday of every month, meetings do often have a door fee attached, with discount for ISACA members.
Infragard – most meetings require pre-vetted membership, so inquire before attending. Background check is part of the vetting process.
ISEAGE Red Team events – get yourself on the mailing list for invites to be part of the red or blue (green?) teams for regular events every year hosted in Ames (usually) for high school and college level competitions.

BSidesIowa conference – April 22, 2017 (Saturday)
SecureIowa conference – October 3, 2017 (Tuesday)
DataConnectors – traveling tour of security presentations and marketers, which just visited Des Moines earlier this month.

And here are some local-ish businesses and friends that make for great places to check into for upcoming events beyond things listed up above. I know I particularly love seeing a major geeky movie at Flix Brewhouse for free with my friends and co-workers!
Cisco West Des Moines Office (I don’t actually know how to track this one. I usually hear this through the grapevines…) If you’re a purchaser of Cisco products, check with your local rep/seller to get on this mailing list!

What else is sort of nearby? Typically, events in Cedar Rapids, Iowa City, Ames, Omaha (NE), and Kansas City (MO) are attendable if you don’t mind the various drive distances. Chicago (IL) and Minneapolis/St. Paul (MN) regions are also doable.

And, if nothing else, there are tons of places to hang out, have fun, or eat sushi (or anything else) and drink away some security frustrations with small groups and friends.

it is still not time for pci dss to die

Saw an article saying that Arby’s has reports of a mid-January data breach of more than 350,000 credit and debit cards. This echoes a breach from 2016 by Wendy’s. I would link to this article, but it’s not necessarily a source I usually look at. If I find this mentioned elsewhere, I’ll add the link. If true, I’m at least interested in the short gestation time for that malware being present and someone noticing it! (Just like every breach, I’d love the full, un-redacted story from infection to discovery so I can gauge how truly impressed I may or may not be.)

One comment I noticed was asking if it’s time to ditch the useless PCI framework and get back to real security?

That’s a good question, and an easy answer for any company that is already enlightened about digital security.

But many are not, and PCI has been the only driver for any type of interest in security. Granted, those companies may still just be filling the checkboxes of the PCI requirements and not really doing much of anything of real ongoing value, but it does do a few things.

First, it mandates pen tests and third party examinations of an environment. You’re still only getting what you pay for, but this could at least expose some low hanging fruit.

Second, it gets a few extra tools in place that a company may normally not even bother with, such as IDS/IPS and code reviews or a WAF or firewall rule reviews. How many SMB environments run any sort of vulnerability assessment internally if they’re not asked to by a regulation? Very few. And those reports expose many small and large issues that can be fixed for little effort and high value.

Third, some of these checkboxes are in part driving the UTM market and other conglomerated boxes that combine many tools into one pane of glass and management umbrella. This is (arguably) good for everyone, and especially so as prices go down (a little) and quality goes up (a little), especially in comparison to an environment that just has outdated Antivirus, an old firewall, and nothing else.

Security efforts (and even things like making sure backups are successfully created) are things that almost always fall into second place behind revenue-generating events or tasks that support revenue generation. They just get done “tomorrow.”

We also need to remember that PCI DSS was created more to cover the butts of the card processors than it was to protect merchants and end-users. It’s also not the ultimate answer to security; it’s a framework that needs to be implemented properly for an environment and continuously effective. So maybe crying about the state of PCI isn’t even the correct place to be looking.

And no discussion of this topic would be complete without diving into the world of cyber/data breach insurance. If we don’t want to abide by rules, maybe we’ll just start eating the costs and call it part of business lumped into the insurance payments.

And lastly, it’s our duty in security to accept that axiom that breaches are inevitable. Even if you have a great security team or follow PCI DSS to the letter, you still have to assume a breach will occur. Hopefully many are prevented and the successful ones are detected and mitigated quickly.

If someone wants to say PCI DSS is useless, I’d really want them to offer up alternative solutions that can be applied to enterprises in many industries and or many sizes. Don’t just say, “Do *real* security now.”

security warrior 2.0 by kim jones

Kim Jones recently had a wonderful article talking about Building Security Warrior 2.0. I really liked his points and bullet items. I don’t think this is the whole answer, but it’s a very good one.

1. Defense Alone Is Not Enough – I’m not sure this is a really new point, but he does tie this in later on with how we’re shifting from governance and programmatic defense over to being able to think like an attacker on a technical level. It’s one thing to just play defense, but another to start anticipating the moves and weaknesses. That said, he’s also correct to walk this back a bit; it’s not about a security team attacking attackers (or would-be attackers), but it’s about thinking like them. And maybe, if you have a large enough organization that is a big enough target, to actually keep a finger near the pulse of parts of the attacker industry.

2. Security Is An Interdisciplinary Problem. – This times ten, although I do think he left off a bullet item in the list: Systems administration fundamentals. He lists network and app disciplines, but leaves out the system level. Anyway, it’s true otherwise. Some roles in security really are high level communication and leadership positions, while others are in-the-trenches technical ones. But there is almost always some level of upwards tendencies for all security people these days. You may be helping on a project with other teams at or above your pay grade or assisting with an incident that involves people *way* above your pay grade, and the ability to communicate and understand a wide range of security topics is important. This is why I find it harder to coach brand new employees out of college looking to get into security; often (not always) people should get some other sort of IT experience under their belt before sliding over into security, in my opinion. I suppose there are entry level SOC/NOC types of positions, but for anything above that, having some other fundamental skill specialties is really awesome.

3. We Need To Bring Back Critical Thinking. – This sort of goes without saying. Security professionals are fighting a game of innovation and discovery, and doing so across all functions of IT and across other non-IT functions. This means you need critical thinking skills that put you in and out of the box at all times. Often, security can be brought into project planning or operations incidents largely due to their wide and deep expertise and critical thinking skills, even if the issue at hand is not strictly a security one.

4. You Do Not Have The Option Not To Communicate. – Pretty much echoes points made above, but it’s nice to separate this out. As a security person, you’ll *have* to communicate to some degree, since security is (almost) always about making things a little harder (but more secure) for users and data and customers internal or external. Now, this doesn’t mean everyone in security needs to be able to talk and play golf with the CEO or be buddy-buddy with executive leadership. You just need to be able to talk to your audience, technical and non-technical, to get things done and understood. (Honestly, this is a key point for any level of IT support these days. You get every level of employee or boss that may come to you on any given day…)

5. Reality Matters. – Definitely this. Theory and book smarts and unrealistic research only goes so far. I definitely encourage anyone new in security to get their hands dirty, whether it’s with security topics, network/systems/app work, or sitting along for capture the flag competitions or shadowing current professionals. Security is not just technical, but it’s also part creativity and part gut feeling.

6. Information Assurance (IA) and Cybersecurity are Neither Synonymous not Mutually Exclusive. – Jones starts to get into some terminology here and this is where we tie back into the very first bullet point about programmatic governance and technical aptitude for attacks. I really like this line, “Part of that [pendulum swing towards IA] result…has been the increased volume and severity of data exposures, combined with the erroneous labeling of suck attacks as ‘sophisticated.'” Too many of these attacks are not sophisticated. Now, that’s a huge topic in itself…

Jones finishes the article with a list of attributes for the Security Warrior 2.0, and they really read like any security job description should start out. I think this is a really good foundational goal for anyone coming into security or looking to square their shoulders up again to where we’re headed.

putting money back into myself – 1-3 year plan

Now that I’ve gently pivoted my career, I have a chance to identify and work on some of my knowledge gaps and desires over the next couple years. This is
especially important to me, as over the past 4 years or so, I’d a) gotten comfortable where I was, b) been really busy with business-critical work, and c) drifted away from learning a ton. While work was busy, I had a few new hobbies/people show up afterhours that took away time as well. That’s partly the point of the gentle pivot from being systems *and* security work, to doing full time security work. It should free up some energy to get my learning back on track. I also hadn’t put much money back into myself as far as training, but then again, neither did my previous employer. Sure, I was always offered it verbally, but there was really very little follow-thru on proposed options if they weren’t immediately in line with devices or projects we had already on the books. And security for security itself was not a priority.

This is partly why I posted several weeks ago about the various security roles that exist. It not only helps me decide what I want to do for my career, but also what I want to continue to study and strive for over the next 3-5 years. I test and study well, and sponge up information all the time.

This is certainly not all-inclusive for my interests, skills, and what I want to do on the job today and tomorrow. This is simply a small guide for myself on what to do next, if I’m ever looking towards the professional horizon and wondering what’s next on a quiet winter day. Obviously, this is also ever-changing.

PWK/OSCP from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.

CTP/OSCE from Offensive Security – Not prohibitively expensive, well-regarded, satisfying, self-paced study and a cert to show for it after.

CCNA – Not expensive, satisfying, but might be a bit below me and require some extra effort to utilize some labs.

Linux – local class? – night class during the summer, not expensive, quality might be hard to know beforehand.

Linux – other (further research required) – There are plenty of other accessible options from SUSE/Red Hat specific all the way down to Linux+ for the heck of it.

Certified Ethical Hacker from EC Council – Not prohibitively expensive, popular even if much maligned, doable and something to add on the resume. (You’re allowed to hate on this; I get it.)

python, powershell, .net self study for coding knowledge (even C++/assembly) – This is less structured, but I could acquire books or online learning goals to help with them.

OSWP from Offensive Security and CWNA (wireless) into CWSP from CWNP – These are wireless specific goals of mine. Attainable, not terribly expensive self-paced study.

web app sec self study or other certs (further research required) – In a really quick search, I was surprised to not find any useful web app sec related certs.

get other small gadets or toys (hackerwarehouse type stuff, great scott gadets…) – A bullet item reminder about this.

get a Mac – This is really to broaden my horizons with a new platform/tool investment for myself.

Arduino learning – Hey, I have an Arduino learning kit I can make use of.

cons and local groups –
A bullet item reminder that these exist!

other specific tools self study – A bullet item reminder that I can look at any other specific tool in depth and will.

further lab building – Maybe purchase more hardware for the lab and build it out further. I was really thinking hardware, but even trying to admin it better could be a useful project.

SEC560 (GPEN) – Network Penetration Testing and Ethical Hacking – Just time and cost prohibitive, but if I had the sudden bonus budget, this is where I’d start right now.

forensics and reversing self study or other certs – further research required, most of these are expensive or product specific

ISACA offerings (CISA/CISM) – book cost, self-study webinars, exam cost and trip make this somewhat prohibitive

CSSLP from ISC2 (web app) – An app sec certification for SDLC work and experience. Not expensive, but annual ISC2 maintenance, of course.

Other SANS/GIAC – Basically just cost and time prohibitive. Will look into it on my own personal dime when budgets allow.

10 gadgets every hacker should have according to eset

I am usually snarky about lists, yet I can’t help but love this list from ESET’s WeLiveSecurity site, 10 gadgets every white hat hacker needs in their toolkit. I am actually woefully behind on this list, and need to fix that! Is there anything amiss with this list? Well, if I wanted to be picky, all of these tools are useful to the hacker with physical or wireless proximity access. Then again, we’re talking about physical gadgets, aren’t we? And it does underline an often missed part of corporate security: do physical walk-thrus to check for rogue hardware! This list is also a sort of training/shopping list for anyone wanting to do wireless or physical pen testing or defense.

Raspberry Pi 3
Wifi Pineapple
Alfa Network Board
Rubber Ducky
LAN Turtle
HackRF One
Ubertooth One
Proxmark3 Kit

building a pen testing lab – questions and concerns

It’s been years since I had a working lab at home, and I’m finding myself ready to build a new one. Building and maintaining your security lab is less about being a security expert and more about wearing your Systems Administrator hat. Maybe even your shiny new devops hat! It takes work, and you better get used to it and get efficient about it. You want to spend your time doing security magicks, not wrestling with your VMs.

Developers already have a leg up in this regard if they are already using devops-y tools like Docker or Vagrant to quickly rebuild and share development environments as a VM. Modern Sysadmins also are learning these techniques. It’s worth getting a taste for it as a security professional as well. Don’t discredit blogs and articles from developers in this field.

The simplest lab will be installing a virtual hypervisor on your local workstation right now, and carving out a VM or two. You can always use your local system as the attacking box, and the VM guests as victims by allowing the host and guests to talk to each other. That’s all quick and dirty, but most of us don’t want to screw up our main box by testing weird things out on it, or vice versa screw up our lab that took hours and days to set up by doing something unexpected on our main box.

The second easiest route is to forage from your local company desktop and systems folks. Do they have old workstations being sold for cheap or thrown away? Do they have extra copies of old OS media they no longer need that you could use to install from? Even just having a few extra workstation-class systems on hand can be enough for a lab, even if they’re not powerful enough to run virtualization tools on.

But let’s say you’re ready for the next step. You want to stand up a virtualized pen testing lab. Below are some topics to think about and answer before getting started.

What is your purpose?
You might want to do some pen testing, which is probably the most typical use case of a security lab. But you might instead be looking to detonate malware or evaluate security tools in a controlled environment. Keep your use cases in mind when answering some of the following topics. For instance, detonating malware might mean you have a particular interest in keeping your guest VMs absolutely isolated!

Choose your hypervisor platform: Virtual Box, Hyper-V, VMWare, XenServer
Picking a platform you already know will probably help you get up and running more quickly. But you could take this chance to learn something new and pick an option outside of your comfortable zone, but plan for some extra learning time. All are pretty capable, though Hyper-V is still fighting to prove itself in the enterprise and VirtualBox is usually limited to small scale use like for our lab project. Learning VMWare and XenServer are things you can effectively add to a sysadmin resume. XenServer and VMware can be loaded onto bare metal, but Virtual Box will require an OS to install onto.

While the others have free versions you can use just fine, Hyper-V has extra considerations that you’ll want to check up on, such as what you can or cannot license through it for a server class Windows OS. Honestly, chances are you will want to use something other than Hyper-V. Exception: If your company already has a Software Assurance subscription in place with Microsoft, perhaps you can convince someone to ask about including a free license for Windows Server Datacenter that you can use.

Think about how many systems you’re going to want to have running at any one given time.
This will increase your hardware needs the more you want running. For an initial run at a lab, plan for 2-5 concurrent guests running at once (20+gb disks, 2-3GB RAM…)

Think about portability.
This may influence your hardware choices: beefy laptop versus an old server chassis or maybe a portable-ish box? Do you want to power this off and take it various places, or will this just be on your home network in a corner forever?

Think about network needs as this might invoke further work on a router/firewall or on the hypervisor of choice.

  • Do you want your local network to talk to these VMs and vice versa? you probably don’t, but maybe you want to use a physical kali laptop as your attacker…
  • Do you just want the VM network to talk out to the Internet? Some systems will want this for patching or apt-gets or to build them!
  • Do you want granular control over any of the above? Extra work!
  • Keep this item open as your answer might change based on what you want in your lab.

Think about initial VM inventory.

  • an attacker box (or two: 1 linux and 1 windows)
  • a victim box.

But for your victim box, do you want to load a system purposely built to be vulnerable to things (like metasploitable), or do you want to build more or less default-ish systems? By default-ish, I mean not just out of the box, but maybe also configured with typical settings and best practices as needed. Or more than likely a mix of the two.

Linux VMs are pretty easy. You download the distribution iso, install it, optionally update, and you’re good to do whatever you want next. You can even snapshot the installation for quicker builds later with really no issues.

Windows OS VMs are a different story. Windows isn’t free. You can download limited trials from Microsoft, but they will expire. You can get things like MSDN copies or freebies alongside Software Assurance subscriptions, but those are not really free for home users. It can also be problematic to clone a Windows VM snapshot into new systems, depending on what you need, and the license will still be expired. This means you need to think about how you want to refresh your Windows OS VMs, which means channeling your inner devops (deployment infrastructure), scripting (quick configurationgs), or documentation skills (notes to follow each time) to rebuild efficiently and accurately. You should also think about how to get hands on with older, unpatched OS versions, such as older 2008 R2. Grabbing media from your ops team is always a good source.

What might you want for Windows boxes?

  • a server class
  • a workstation class
  • a domain controller (with DNS, DHCP, Active Directory, Group Policy)
  • a domain computer member (server or workstation or both)
  • a file server, FTP server, IIS web server all in one? (also think about populating your file server with files!)
  • once configured, snapshotted, and think about what you’ll do in 181 days when the license is expired.
  • later on, you might want to add security systems like a Splunk server, IDS/IPS, packet capture monitor, etc.

Think about your install media and how you plan to keep it updated. You probably want to carve some of your VM host storage for an ISO section where you can plop ISO images of installs and mount them from, or maybe an external drive you can attach. Also think about how often you will get new ISOs and how will you know a new version is available? How will you get old ones if you need something older than a particular date or patch?

Are there any VMs you want that are going to need to be built all devops-style? Take the install process for Metasploitable3, for instance. How will you refresh this? Where will you build it? You might have to learn some devops skills to manage this without busting your box on accident. Maybe have another system nearby you can build VMs inside, export them out, and then import them into your lab host in the ISO storage location.

All of this should pave the way towards planning, acquiring the hardware for, and beginning to build a pen testing security lab.

paypal 2fa bypass by henry hoggard

On October 22, 2016, a two-factor authentication bypass against PayPal was released. If you just intercepted the post back from a form about security questions, the system would accept it and authorize a device to be sent the 2FA code over text messaging.  Now, this does require that you have the first part of the authentication process: username and password. But, that’s exactly the part that is weak enough to force the use of 2FA. Basically just opening a rogue email which installs a keylogger or other trojan is enough to leech that out.

Now, PayPal did fix this within a few weeks, but it’s really annoying to know that this system was so easily subverted. Just munge the data in transit and you’ve broken their system. To me, this suggests someone in QA or their security team didn’t do much for security testing against this piece of code before it went to production. And that’s just plain annoying to see. Nor was this designed with security in mind by the developer, either.

And if PayPal makes these makes mistakes, so does most everyone!

forming questions to ask endpoint security vendors

I wonder how often a vendor calls competing vendors to try and get sales pitches, calls, and demos out of The Other Team? Probably less often than I’d like to think. I imagine they have enough work to do without resorting to filling time with some casual spying.

Anyway, DarkReading has posted this article, “20 Endpoint Security Questions You Never Thought to Ask” (I read that headline over a good 5 times in my best movie trailer hype voice). Even though I’m a bit snarky in my response to these questions, this article does make a good foundation for any sort of endpoint security requirements gathering might be needed when evaluating new products.

Do note that I don’t really trust sales people. I trust being hands-on with products, or at least eyes-on with an in-depth demo from an engineer. So any questions that are easy for sales to just fib about, I tend to reword into “Show me…” types of questions. I’m also crazy wary of articles written about a product segment by someone whose business lies in that segment. I get that they’re knowledgeable, but they’re also happy to slant the discussion to favor their own products, even if it’s subconsciously done.

A few key questions are missing here. Asking about licensing models is always a necessity. Asking about central management tool requirements is another. Plus, these are endpoints we’re talking about. Does this include server class systems? What about when a mobile device is off-prem? What port allowances on my network are necessary to be opened? Will the endpoints be listening and do I need to protect that opening? Are updates and central callback communication encrypted or protected somehow? To be fair, this list was about questions I never thought to ask…though, let’s also be super fair and say that most of these questions are baseline questions everyone should be asking already.

“1. How easy is your solution to deploy?” This is a fair question, but I’d reword this as, “Show me the process to deploy your solution.” I’ll make the determination on whether that is easy or not. Do I need to burn a domain admin account for this? Do I need to sit and wait to do them one by one? Do I need privileged staff? Does the tool run as local system/root or do I need service accounts? Will this discover endpoints or do I have to populate with a list or one by one? And so on.

“2. How easy is your solution to manage?” Again, I’d reword this to, “Show me how to manage the endpoints from a central management tool.” I’ll decide if it’s easy or not.

“3. How easy is it to configure rulesets and tune the solution once deployed? Aside from the fact that threats are continually evolving, if there are activities that appear malicious elsewhere but are benign in my environment, I need a way to filter those out.” For the first part, yet again, “Show me how to configure the rulesets and give me an install that I can play with directly.” I’ll decide if it’s easy or meets my requirements. For the second part, I’m not sure what examples there may be, but I might ask whether any given rule or protection can be fully turned off if I want them off, or if I can make exceptions by running multiple policies. I’ve run into tools with pieces that just can’t be turned off (Sophos!), and it can be very frustrating.

“4. How easy is it to update your solution’s knowledge base or take advantage of the latest knowledge around attacker activity? If you can’t make it easy for me to operationalize what you’re selling me on, then your solution isn’t going to work for me.” Yet again, show me how to configure updates and what gets updated.

“5. What additional load on the endpoint does your agent introduce?” I honestly don’t think this question has been relevant for many years (virtualization concerns notwithstanding), and even if so, a sales call won’t produce a negative answer. More than likely, an extensive proof of concept roll-out will be necessary to answer this. One does have to think about whether virtualized endpoints will be included. Do they all scan at the same time and overload my hosts?

“6. You want me to install yet another agent? I would be willing to do that if you articulate how you can consolidate functionality that I currently get from multiple different agents into one agent.” I don’t think this is relevant, either, unless I am looking at a tool to replace several others. Otherwise, when we’re talking endpoint security, we’re going to be talking agent-like footprint. The exception? Mainfram…I mean, fully virtualized environments where the security is abstracted out into the host/hypervisor layer.

“7. How does your solution integrate with my existing security infrastructure? I have a complex ecosystem of products deployed and yours needs to play nice with it.” I doubt this is very relevant. I mean, let’s say it’s the best product but it doesn’t “integrate” well with my infrastructure. Sorry, but that’s my problem to deal with. It might be better to ask questions about how notifications/alarms are raised, logged, sent, and handled. And to ask to see the dashboards or status checks or audit reports. However, this is definitely an internal question to raise, and there may be complex environments where this and other tools will stomp on each other for a while.

“8. Not all intrusions involve malware. What is your strategy to detect intrusions that use no malware at all?” I actually am not sure what this question is asking about.

“9. Is your solution part of an overall platform, or is it just another point product that I need to figure out how to integrate into my operational workflow?” A good question. Basically, what else do I need to get value out of your tool(s)?

“10. Does your solution leverage and facilitate correlation with other data? I have a lot of great data elsewhere in my enterprise. Do you know how to take full advantage of it to improve your efficacy?” This seems like a question specific to a flavor of solution…

“11. Is your solution based on knowledge of attacker tactics, techniques, and procedures (TTPs)? If not, how do you identify that type of activity?” At this point in the game, I don’t much care or expect visibility into the inner workings of the major players in this field. Real world roll out will tell me if updates and signatures and behaviors are stopping what I actually see coming in daily.

“12. How does all the knowledge you’re selling me on make its way into the product to help me mitigate risk?” This goes back into the previous question: I doubt I’ll ever have this visibility beyond a slick sales talking point or two that I just have to accept until I see the product in use for a year.

“13. Do you really have behavioral analysis and machine learning built into your solution, or is it just signatures and rulesets behind the scenes?” Fair enough, but a bit of a softball question that sales people hope you ask so they can hit a major talking point they’ve rehearsed in their sleep.

“14. Do you provide ability to remotely contain and remediate endpoints?” I actually really like this question, but it needs to lead into a demonstration of remote management and remediation. I’ve seen tools that do a decent job and yet are useless when it comes to proper enterprise level management.

“15. How efficient and powerful is your enterprisewide search? If I have an incident, or even if I don’t, I need to be able to slice and dice the data collected by my endpoint solution in an instant.” A good question to lead into viewing the reports, dashboards, or other logging and display capabilities. Before asking this, however, I make a point to have an idea about what sort of data will be relevant to me. Are there any metrics I want to see? Or as an analyst, what might I need to know to investigate an event (or non-event)?

“16. How effective is your solution in a real enterprise against binaries you’ve never seen before?” Another softball question. If you’re big enough and good enough to ask about this question, you’re big enough to have your internal malware team throw some things at the tool during a POC or small demo. Otherwise, this really doesn’t apply to you.

“17. What is your true positive detection rate in the wild? Results from your lab don’t interest me here.” I don’t even know what the author expects this answer to be, but it’s leading and a softball.

“18. What percentage of events and alerts that you fire are false positives? Again, results from your lab don’t interest me here.” Again, never going to get a real answer here. This is going to tie into how the tool’s logging, alerts, reports, and dashboard all work, in conjunction with how granular and complex you can tune and configure the solution. All of this working together allows analysts to tune down the false positives.

“19. What is the upgrade path for your solution? It should be a smooth and straightforward transition from one version to the next.” I’d also ask how often major versions come out, and I’d try to find someone who has used the solution to tell me about any issues with upgrades or if there are any ramifications for falling behind on patches (like one feature becoming broken over time, orphaned endpoints that haven’t checked in, or something). Walk through the upgrade process and see if it’s just about running an installer and pushing out the new version, or if it’s ugly like database upgrade scripts and other complex steps.

“20. How does your solution facilitate my information sharing initiatives?” Basically, does it do the right reports that I want? Or, at least that’s how I see this question going.

rainy day scripting ideas – port scanners

If you’re looking for something to do with Perl (or Python or other scripting languages you’d like to play with), you can always make a quick and dirty port scanner. For instance, like this SSH port scanner script. Just looking at the code, this isn’t something that uses a specific SSH client or anything; you can just change the port to create a different scanner.

And this can be built upon very easily by searching for other examples like a more robust port scanner in Perl. You can scan more ports, a list of ports, maybe replace the random IP address with a static list that you supply.

Even better, get a port scanner on every system in an environment without having to rely on an installed scripting environment…enter PowerShell! Yes, start playing with port scanning using PowerShell scripting. This is arguably a bit better than installing the Telnet client on current Windows server boxes every time you want to troubleshoot network connectivity.

Is this useful? Absolutely, from both offense or defense, you can find specific things in an environment that maybe run on a weird port or common ports like SSH. Scan your network space from your own admin VLAN to find lost devices that aren’t in inventory but weren’t properly decommissioned, or maybe that test Linux VM someone stood up last year that was supposed to be temporary. Tools like this can be used to test and validate firewall rules, which always sounds easy in practice, but is not necessarily so when you really get deep and dirty with it.

This can also be used to test security detection processes, like network IDS/IPS. Catching sequential or even random (but large volume) scans should be something easy to accomplish and test. You can even add some waits/pauses to the script to slow the scan down and watch behavior of your IDS/IPS versus time it takes an attacker to get useful information off your network. Need to test your IDS/IPS for an auditor? Creating easy, but relatively benign alerts in a few different ways is useful (like triggering a WAF with a GET to cmd.exe or something).

security job areas

IT security is a broad field, just like the general “IT” field is broad. If you want to get “into security,” there are various paths to follow. I’ve been playing with this list for a little bit, and want to move it from a text file on my desktop to a more permanent filed place on here. The following groupings are not meant to be all-encompassing as there are dozens of smaller focused positions and different job titles out in the world. But this should be a pretty good, and close-to-complete view of security.

  • Penetration Testing and Vulnerability Assessment (system, network, web, application, cloud, mobile, physical)
  • Incident Response, Malware Analyst
  • Forensics (memory, disk, network, mobile)
  • Risk and Compliance Analysts
  • Security Auditor
  • Architect, Policy, and Design
  • Security Researcher (reversing, exploit dev)
  • Security Operations Engineer, Security Manager/Analyst (network, identity, application)
  • Access/Identity Management
  • SOC Operator/Analyst
  • Application Security/SDLC (static analysis, mentor, tester)
  • Physical/Surveillance
  • Management (CISO, Manager)
  • Education/Trainer/Media
  • Generalist

Yeah, I keep “Generalist” as a spot on here, because it’s still something to be considered. While not usually a job title, if you like everything about security (or are just undecided if you want to focus somewhere), you can have generalist security professionals just like you can have generalist IT professionals. It’s not flashy, but knowing a decent amount about many things can still provide value.

I’m sure I’ve missed some major roles, but many other smaller ones probably fit into these as sub-roles. Also, the Management slice might often be more about managing people and departments and less about IT or security; more like a category of management rather than a category of security. That will all depend on the organization.

There are also types of security jobs as well. For instance, you could be a pen tester consultant, sales engineer, or even a part of a permanent red team inside a large organization. Also, things change if you’re working for an actual security company (hello enabler!) or part of a security team for a company whose main line of revenue lies elsewhere (hello cost!). So these slices should also be taken into consideration against all of the above categories.

  • External security consultant
  • Employee at a security company (including sales engineers)
  • Employee of a non-security enterprise (i.e. part of an internal team)

Why am I even bothering with this exercise? Well, I’m currently filtering through the local job market for a role to land in. I’ll give more details about that in a future post.

the job of information security and the most important quality

I’ve been in some job interviews in recent weeks, and gathering a list of qualities that information security professionals should have. Ingenuity, problem solving skills, knowledge and aptitude, detail oriented, analytical skills, healthy skepticism, team player, autonomous, enthusiam, empathy, having a good heart (these last two deserve their own posts). All of those are highly important, even required. But I think there is one quality that I think leads many of these: integrity.

Security is tough.

You don’t need security without the insecurity, and as such security will always be behind the curve.

You’ll always be fighting against agile bad guys and always behind, but you’ll also always be fighting users who want 100% convenience. And you’ll always be fighting against other pulls for business budgets and money. And always fighting the growing complexity and chaos.

It takes integrity to be in security. And it’s more than just not looking at the CEO’s emails when you have access or passing along trade secrets or posting security holes on social media or keeping quiet about an HR investigation into harassment claims.
Integrity isn’t surprising as an important quality in security, as it is also an important quality for life in general.

It’s also about admitting you don’t know something and the subsequent quest to learn it, rather than faking it and losing credibility.

security is difficult.

These teams need to know what is important to the business and how to balance user access/convenience against security and budgets. That’s a high degree of business acumen that is required.

Security also needs technical chops in all areas, from data management to networking to systems to desktop to programming so that they can provide guidelines and mentoring on how to be more secure. That’s not something where a desktop person can come in and immediately be effective without knowing how network infrastructure or server management is handled or has never spoken to developers before. They also need to back up their theoretical anecdotes with evidence of successful attacks and defenses.

Security also has to know how to handle people, as they are always the weakest link that need to be educated and incentivized (I prefer incented as a word..) to know and do the right thing, from non-technical employees to the deeply technical senior IT members.

Security needs to be objective with technical logic, but subjective and creative to keep up with innovative attackers who find and leverage new issues weekly. It’s even sometimes artful in ways to detect and prevent attacks.

Security needs to be rigid and stick to compliance standards and expectations, but also flexible to the ever-changing world, business, technical solutions, and attackers.
Security needs to be confident in their solutions, but also humble enough to accept subject matter expert feedback and suggestions.

I love this profession, even if it causes me to take an extra drink some Fridays. The challenge is intoxicating even as it is frustrating.

quick wins on your next pen test from red team security

I really wanted to add more to this list of “5 Quick Wins On Your Next Penetration Test” post by Red Team Security Consulting, but they did a good job capturing really important broad topics in their first 4 items.: Apply missing patches, decommission forgotten systems and services, bring your password “A” game, and restrict your admin interfaces. The last one, “Validate your input/output” applies to developers more and isn’t quick or easy, and the bonus item, “spoof your banners,” isn’t something you spend time doing unless you really, really want to. But I do have a few tidbits to add. (My criteria here is keying off the phrase, “quick wins.” It’s easy to add many more things that can take months to implement…)

First, issue a round of security awareness education to your employees. Remind them about phishing attacks, tail gating through locked doors, and reporting general “weirdness” on a server. Server is crashing or slow for no reason? Look deeper. Be skeptical, even if the answer is usually not “an attacker.”

Second, make sure your anti-malware solutions are pushing updated signatures/versions to endpoints. Make sure your reported endpoints match your expected inventory, and shore up any stragglers. It’s not perfect, but endpoint protection does flag tools that attackers use.

Lastly, here’s a “cheat” you shouldn’t do, but I guess you could. Stand up honeypots or devices that answer on otherwise unused IP addresses or ports on those IP addresses. Thing is, no pen test lasts as long as it should, and a huge amount of time is spent on scanning alone. If you make an attacker’s scan take way too long, they’re not going to find things or they will just not have much time to get where they want to go. Does that cheat you out of value from the pen test? Absolutely! But it *is* something to think about: the amount of time you’re paying someone to scan your network and how that steals value from the pen test.

five practices hackers say make their lives harder for which a vendor can address

Saw mention of a post over at CIO: 5 Security Practices Hackers Say Make Their Lives Harder. Ok. It seems like every security practice should make their lives somewhat harder. The 5 items trend largely towards password and privileged account protection, which isn’t surprising since the survey was conducted at Black Hat USA 2016 by Thycotic, a vendor of password and account management tools ( or Privileged Account Management [PAM] for the fancy). And I have used and generally like their Thycotic Secret Server, so I have nothing against them. I just generally have issues with vendor-led statistics.  [As an aside, I consider Thycotic a sort of third level solution for any organization that has to manage privileged accounts. First being nothing, written, text files, or Excel files with password protection. Second being a PasswordSafe, keePass, or even LastPass sort of user/group password management tool. And third being something enterprise-ready that you’ll have to pay for, though not exorbitantly, like Thycotic.]

So I headed off to see what this survey was all about. I found a copy sitting over at SCMagazine: the 2016 Hacker Survey Report. Mysterious! Unfortunately, the survey pdf itself shows nothing of the methodology of the survey or the questions asked to get those 5 items that make hacker jobs more difficult.

Are the items wrong? Not really. Account security is highly important, from admin to end user. Access escalation and end-user phishing are strong topics for IT security in 2016 (along with cloud security and anything to do with PowerShell).

I just always get skeptical when I see self-serving vendor-provided surveys and information.

Edit: I actually just saw over LinkedIn that the survey pdf is now available from Thycotic if you want to submit some false sales information (no real verification or checks to download). It’s the same pdf as linked up above. And it’s still really not that interesting.

mirai source code and password list revealed

By now, most of us have heard about the latest largest DDOS attacks on record, first against Brian Krebs, and then against OVH. MalwareTech has a great article about the botnet behind those attacks, Mirai, and how it actually works.  Brian Krebs also has information about the source code for Mirai. And here’s the list of the user/passwords the bot used to dig into IoT devices, taken right from the full Mirai source code.