some thoughts on handling the it insider threat

NetworldWorld has a fun article up about sysadmins and the Insider Threat! (Here if print link doesn’t work to save you 4 page-clicks.) This is a decent article if you give it a chance through 4 pages, and overlook the fact that it hyper-skims over enough topics to fill a book.

“It doesn’t mean they’re guilty of anything,” Theis adds. “Sometimes they’re just trying to get the job done, but they’re outside the bounds of the organizational policy.”

Sometimes IT workers are pushed by demanding users, such as business and sales managers, to perform tasks in a hurry or to violate official IT policy by, for instance, adding printers on network segments where that’s not allowed.

Many suggestions in the article are correct suggestions, but are appropriate really for larger enterprises, and completely ignore the SMB. To its credit, the article does briefly cover some of what I consider the bedrock approaches to the topic of privileged IT insider threats.

1. Hiring practices. You’re hiring someone who may have access to your entire asset line and data. You better have decent hiring practices in place for background checks, credit checks, proper valuation, and so on. In the SMB, your admins are pretty much gods, even if you don’t want them to be.

2. Management directly. No amount of automation will remove the need for proper, close management of privileged users to determine if they are disgruntled, have pressures going on in their lives, and so on. The warning signs are almost always there.

3. Management protection. Many (all?) times IT staff are just trying to solve a problem. The management needs to be outwordly present to protect their staff from bending to those pressures. Don’t leave your employees to handle the brunt of pissed users who then return back poor customer service reports which influences staff to be more lenient to get better reviews. That’s a downward spiral that will erode security.

4. High-Level policy. There must be policies in place on what the company and management expects for architecture, security stance, behavior, and so on.

5. Standards/procedures. This is a tough one, but there should always be procedures for admins to follow to accomplish common tasks, and guidelines (along with aforementioned policies) when solving new problems. One person should not solve a recurring task in their own way which may erode security. This happens way too often. Collaboration amongst peers helps as well. In the SMB, don’t undervalue consistent verbal standards/policies. (I know, some people will argue and say policies need to be written [*slammed fist*], but I believe the verbal side has realistic weight.)

6. Peer management. No one likes a snitch, but employees are very good at sensing changes and ethics in their peers. If someone is going through a hard time, or suddenly is acting suspicious, or you get an untrustworthy vibe, handling these sorts of things should be encouraged, either through a manager or through interaction. I wonder how many “disgruntled” employees could have been helped through better relationships in the workplace.

7. Awareness of options. This article presents a nice array of options on this topic, but most of them really require additional staff and tools to accomplish, beyond the reach of many SMBs. But it is still nice to know what options are out there and evaluate if something may be appropriate.

8. Audit access. This can either be simple or enterprise-worthy, so I won’t go deep into it. But have some approach for auditing access and who has the ability to use shared accounts, and so on. This can be some quarterly manual review, a brainstorming verbal session, or something vastly larger. The point is not to be surprised by who has access to what.

Got linked to this via the Infosecnews mailing list.

packetlife community lab

Looking to get some hands-on time with relatively modern networking gear, but don’t have the money, resources, or even knowledge to roll your own lab? Jeremy Stretch has made available a community networking lab. For free! Having some real hands-on time with the gear and command line is really a key element to advancing through Cisco certs. Please think about donating even just a little bit if you find the lab useful.

an example of consumerization and the enterprise

I just today mentioned an article between Ranum and Schneier titled, “Should enterprises give in to consumerization at the expense of security?” I imagine most security folks can feel this question every week, if not more so. I had a taste already on a Monday.

Clickability is a service that allows you to email links to people. Some sites such as The Wall Street Journal legitimately partner with Clickability to provide the limited ability to share articles with people who aren’t normally allowed beyond their pay-wall. Nothing too bad, yeah? But if you go to the links that Clickability advertises about itself, you find that anyone can add a javascript bookmark and email, essentially, anything they want to anyone they want…and pose as anyone they want. Rut roh… In my organization, we use IronPort web filters, and IronPort blocks Clickability features due to their categorization as “Web-based Email.”

This is one of those grey area cases. What advice do you give?

On one hand, I can basically email anyone anything and pose as anyone. This may mean the ability to exfiltrate information via port 80 (without normal logging like outbound smtp). It might mean being able to harass an ex anonymously. Or harass someone at work! And while some may argue you need to dig a little to utilize such functionality, I would say not really. The links in Clickability advertise the ease of use, and even the barest minimum use-case demonstrates the spoofability. And while most people won’t be going out of their way in their daily lives to figure out how to spoof emails, if you put it in front of their noses, they’ll turn into criminals-of-opportunity; even if it just starts out as a practical joke to your cubemate.

In addition, an expert appliance, the IronPort web filter, is saying this site breaks policy. Should an SMB take it upon itself to make exceptions and start down that slippery road? One could argue that a major portion of the value in appliance-based web filters is not having to sift through and block sites on your own, but rather inherit what the experts say.

On the other hand, this is a borderline case for “Web-based email” in that it does not allow two-way communication. You can fire off emails, but you can’t get any in return. Likewise, you can’t send attachments.

In addition, the person making this request is a salesperson. With a laptop. And readily available access to networks not subjected to our web filtered VPN connection. So why even bother to control this? Similarly, we’re looking at expanding our mobile presence, which will further the inability to truly keep our arms around the data (assuming we’re still legitimately *in* that battle yet!).

These are big questions, and completely depends on corporate culture. Unfortunately, those with open cultures will always slowly pressure and erode those with tighter cultures. The whole “grass is greener” or “But Bob at the Club told me they decided to allow it, so we can, too!” mentality.

Often the best we (SMBs) can do is educate management as much as possible, but then roll with whatever decision is made. In the absence of regulation, I’m pretty sure there is no right or wrong answer. We could clamp down and say no, or we could stay aligned with consumerland technology.

(My advice is pretty much the above; but I would lean just slightly on the side of trusting the appliance categorizations, and as such keep the site banned. But if someone else overrules me, I won’t be kept up late at night. There are good reasons to roll with the winds of technology, many of which go beyond security.)

a ranum history of security

I wanted to repost this funny blurb from Marcus Ranum in the latest Information Security issue. As usual, the high point of the mag is the Ranum/Schneier point-counterpoint piece.

1995) install firewalls
1996) punch big holes through them
1997) announce “firewalls are dead”
1998) install intrusion detection systems
1999) turn off all the signatures
2000) announce “intrusion detection is the pet rock of computer security”
2001) install log aggregation systems
2002) ignore them
2003) complain that intrusion detection still doesn’t work
2004) worry about data leaking from the network
2005–2010) give employees mobile devices
2006–2010) give employees direct-from-desktop Internet publication capability via Facebook, Twitter, etc.
2010) give employees control of their own IT—when is it all going to sink in?

Their topic was the widening role of consumerland devices and technologies being pushed into the enterprise, while security managers freak out. The realistic point is this is how change is made, and if your company doesn’t stay on top of new tech, someone else will. Sure, your risk will go up, but it’s a corporate decision and often the best we can do is educate management on the risks/costs, educate users, detect issues quickly, and responder efficiently when they do happen. Rather than lean on the brake as in Ranum’s excellent parting analogy. Still, even being aware of all this new tech is difficult, let alone trying to tackle the security of it…

Linked by Anton for an unrelated thing.

wireless bssid used in geolocation

Post and code up on Attack Vector: Geolocation Using BSSID. Matt finally brings this home at the end with the key question: How do you get someone’s BSSID? And that’s really the key, right? Well, if Javascript can leak that information over the Internet, you have an interesting way to track people down.

I hate how movies geolocate someone using their IP address (if we’re lucky, they even get *that* technical) within seconds. Now this might be a bit more realistic (with some room for error due to proximity or overlapping BSSID names) for people on wireless and leaky equipment. Very interesting!

opening the door towards dialogue

Having just recently posted about the latest asp.net vuln, I just wanted to say I absolutely love how even non-security people suddenly poke their heads up and ask questions about issues like this when they are disclosed. Or better yet, post workarounds, issues, ways to detect these attacks, and so on. You can’t open up dialogue like this with closed-door issues…

That’s not to say I’m pro full-disclosure absolutely, but in the absence of Internet-breaking, easily-recreated issues that can be solved quickly (i.e. *really* good reasons), I tend to sympathize greatly with sharing the info rather than secreting it away.

asp.net padding oracle (crypto) vulnerability announced

I guess I told my team about this, but neglected to put anything here! A few days ago Microsoft issued an advisory about a “Vulnerability in ASP.NET Could Allow Information Disclosure”. There are really two aspects of this vuln that require attention: being able to read viewstate data and being able to pull files/info out of the server, such as the web.config contents.

A video of POET (Padding Oracle Exploit Tool) demonstrating the attack is available, along with more info at Netifera. If you’re looking for even more detailed analysis on the crypto attack, check out Gotham’s excellent blog post along with their own tool, PadBuster.

ScottGu has a great blog post with more details and workarounds, along with an FAQ post, and there is a special forum carved out for discussion on this issue.

Is this a Big Deal? Reasonably so, I think it is, especially as a gateway into further application attacks that lead into system access, as the earlier video demonstrates. An attacker could sniff client traffic, grab viewstate, and attack it to possibly retrieve that client information. But why bother with that? The important part is an attacker can generate his own viewstate and directly attack the application and even the server on his own.

The attack is noisy. The attacker will generate a large number of exceptions in the logs, but unless there are specific alerts for such jumps in numbers or an analyst is watching logs in realtime (yeah, right), the attack can be quick enough that detection won’t catch it before damage is done.

five daily whip lashings yield 12% performance gain

Another mini-rant. I saw this today in an email:

…recent research on text-based tasks such as software development have shown that time improvements of up to 15% can be achieved with a widescreen monitor.

I’m glad that wasn’t about me! Really, reading something like that from a manager would make me feel like a rat in a cage or a sweatshop, milking as much productivity out of me as possible like some automaton. What if I didn’t make a 15% time improvement? Am I fucked?

It really should be something like, “Hey, Bob, what sort of configuration can we get you that will help you be happiest in your job with us?” Or if you can’t be personal, at least figure out a consensus with the team, not based around metrics, but around happiness.

Fine, times are tight in some places and metrics help justify budget expenses. But at least don’t let such statements go downward…

i need this done and bob is out of the office

A couple Friday quick-rants. These didn’t happen today, just in general!

Please don’t wait until 4:30pm on a Friday to make a non-trivial need-it-now request for something you’ve known about for more than a day. Don’t make me go crazy for your lack of planning.

And if that request is something that regularly happens and usually doesn’t involve me, please don’t tell me you don’t know any details. If it is that important to you and happens regularly, please educate yourself on the things that your job’s success depends upon. (Or, from my role, don’t hoard the details; freely share them. Even if they don’t make sense, they may help a future request succeed.)

being able to say no and hear no

No. One word, a complete sentence. We all learned to say it around our first birthday, so why do we have such a hard time saying it now when it comes to our work?

I read this article, No One Nos over at A List Apart, and really liked some of the thoughts it struck up. I work in security, infrastructure, operations. Saying some form of, “No,” is a nearly daily occurrence; and a nearly daily stressor (business always defaults to convincing “No” people to start being “Yes” people*). Whether it is a misguided project request, request for access to something sensitive, or configuration change without proper oversight. So any article talking about, “No,” I will usually read, even if I do so grudgingly.

I really liked this bit that was kinda left hanging:

Each one of us brings an area of specialization to our projects, and it is our responsibility to exhibit that expertise. …It is your duty to assert that capability and share your knowledge for the betterment of the final product.

Later on, the author talks about the answer, “Yes! No. Yes?” While I’ve never heard of something like that before, the concept itself is something I think many people naturally find, including myself. Rather than saying no outright, get on their side, but then basically say something isn’t possible or get them to realize the same. But it might be possible if we do xyz (which is usually hire more staff, spend more money, eschew policy/best practice…similar to pricing yourself out of a situation).

If I were to add something to the author’s message, I would emphasize the last couple paragraphs. I resent business in general that takes a, “Don’t say no,” attitude (irony?) on a general basis. We have to be able to (constructively, if possible) say no and also accept when a no is said to us.** (For deeper thinking on a Friday, one might draw some parallels to American culture and our legal system…)

I’m ranting a little bit, but really I agree with the author’s message.

Found via Jarrod Loidl’s blog.

* This ties in with my dislike of the “Give ’em the pickle,” business mantra. Avoiding “No” and also giving someone the “pickle” are fine, but only when the opposite party is reasonable. If the customer is unreasonable or the requestor is unreasonable, then cute maxims like these fall apart.

** I work or have worked in proximity to someone who doesn’t hear when someone tells them no. Few things in a job like mine are as frustrating as someone like that. This contributes to why sec folks drink and vent a lot! 🙂

insecure mag 27 available

Insecure Magazine issue 27 is available [pdf].

This is a shorter issue, and I honestly didn’t really take much away from it, but I did enjoy the article Payment Card Security: Risk and Control Assessments (pg 44). Specifically, I liked reading about FMEA (Failure Mode and Effects Analysis) and basically the rest of the article after that.

FMEA isn’t necessarily groundbreaking (you’re still pulling numbers out of the air), but I’d never heard of it before and I liked seeing a quick summary of bullet items to fill in for it.

The Preventative/Detective controls and Guidelines for Risk Mitigation mentioned later are collectively just a way to summarize PCI DSS requirements, but is worded much better.

looking at pci stats from 2010 verizon dbir

I mentioned previously that I didn’t have much to add to this year’s DBIR. That’s not entirely true, but the thoughts below are definitely not a big deal. The DBIR already spent several pages on PCI-related material, and certainly didn’t (or shouldn’t) need to spend much more on it at this time.

But I still found some of the data interesting.

Which requirements have the best adoption? I’m not surprised by these results all that much. Encrypting transmission (Req 4) is an easy win* when you just look at SSL. Restricting physical access (Req 9) is also an easy win* if you lock your doors (please read the * down below before I raise your hackles too far!). Using and updating Anti-virus (Req 5) is likewise easy, although I’d question how many enterprises are actually validating that updating procedure! And policies (Req 12) are highly adopted, most likely because they tend to be fire and forget. Ideally, I’d like to see policies be the most adopted simply because they should be some of the first check boxes accomplished and/or the quickest to wrap up. (Then again, few people enjoy writing them…)

It is no secret that these particular requirements read quickly as the more clear and easier requirements.

Which requirements have the worst adoption? Developing secure systems (Req 6) is consistently pretty low, and not surprising: it is one of the crappiest single requirements in the PCI DSS. It is vague and downright huge. Regular testing (Req 11) is next, which again is not surprising (vuln scans, IDS/IPS, pen tests), although I think that is usually due to costs as much as anything, both in terms of human hours spent attending to those technologies as well as the capital costs of external pen tests or hardware to satisfy the requirement. I also find that Req 11 is one of the bigger “security geek” items in the list, that really doesn’t even involve general IT operations staff competencies.

As the DBIR rightly points out, the requirements with the most ongoing tasks associated with them are the ones least adopted.

Wait, 2 of them decreased?! – The DBIR mentioned, but I don’t recall it discussing any reason why the anti-virus (Req 5) requirement and vendor-supplied defaults (Req 2) actually decreased 9% and 19%, respectively. AV, as mentioned above, is one of the higher adopted items, yet it decreased; and removing vendor defaults should be a slam-dunk for operations. Maybe the problem, like so many things that are shoddy with security in enterprises, is in the on-going verification of updated AV and validation that vendor-defaults are changed. Or maybe some breaches this past year took advantage of passwords that got reverted back or the attackers removed AV and nothing threw alarms about those systems being unprotected. Who knows…

Like I said, the DBIR didn’t need to spend even more time on PCI, but I found Table 9 (pg 54) to be pretty interesting…just like I had last year.

* By “easy win” I mean these *can* be easily met in limited circumstances. Reality for someone serious about security can still make these items strangely difficult and open to interpretation.

thoughts on my cowon j3 pmp

I’ve written previously about my mp3 player/portable media player purchases, namely the Cowon A3 (mp3/video player) several years ago and more recently my Cowon iAudio 7 (nano competitor).

I have now purchased and been using a Cowon J3 PMP. Since I’m not an electronics review blog, I’ll keep my observations short and somewhat personal. Obviously, I’ve been happy enough with Cowon to not deviate from them since I first purchased the A3 as a replacement to my original 4th gen iPod. (The 20gb iPod is ‘permanently’ attached in my car and I’m happy that support for updating it outside of iTunes is far better than it used to be, making it less ‘evil’ in my eyes than it used to be.)

My cons outweight the pros in number, but as far as value goes, the pros far outweigh the cons in my books. The gulf isn’t quite as big as when I got my A3 or even the iAudio 7, but the J3 makes me very happy indeed.

Pros
– sound quality: In short, the sound quality is fucking amazing. I love the full equalizer control and ability to play with some of the enhancing effets in the JetAudio software. I’m hearing songs in a new light with the J3. The 3d surround enhancement also makes me turn around now and then wondering if someone is behind me. Quite honestly, the sound is beautiful and it alone is worth the money.

– easy management: The biggest selling point for me has always been Cowon’s ability to be easy to load files into. Just plug the device into a Linux/Windows PC, it registers as a USB storage device, drag files to the Music folder, unplug and enjoy! I also have no need for playlists, fancy artist/album groupings, or complex playback depending on my mood. I just want to shuffle my 3,000 trance/techno songs. Or 4,000 chill songs. I only have 5 folders holding all of my ~70gb of music.

– small, light: lighter than my cell phone, so it is pocket-worthy! That was always one of the few issues with the A3 being too bulky for normal pockets.

– microsd support: The internal drive is only 32GB, which is small for me, but I love the microsd support. I can buy a new 32GB microsd card, load it with my chill music, and when I want to listen to it, just insert the card. Or just always keep the card in for 64GB available at all times.

– radio: Ok, I don’t listen to the radio, but if I ever needed (weather, emergencies) or wanted (sports, wake-up alarm) to, this guy has a built-in radio function.

Cons
– video support: Somewhat surprising, the files I’ve ripped from my movies that play on my A3 don’t play on the J3. This is somewhat perturbing as I’d rather not re-encode all my files. This kinda leads me to the conclusion that I should just rip my movie backups into ISO files rather than encoded media formats which may become useless or too lossy in the future (a debate I’ve been having with myself for some time now). The ISO files will always be useful as sources for doing future encodings, and my desktop systems will read them just fine for immediate playback. Anyway, it is not a huge deal as I’ve only rarely watched movies on my A3, and my A3 is still quite capable in that regard.

– mp3 playback shows album art: Some people wouldn’t think this is a con, but for me it is. I don’t download and update and manage album art, so most of my songs end up with a blank default icon filling about 2/3 of the mp3-playing screen. I’d love to turn that off or change the display or just have a generic wallpaper, but I’ve yet to find that option. This device isn’t going to convince me to start complicating my life with album art management. I find this a weird inclusion for a device really touted as the simple alternative for people who don’t want bloated music management.

– need an AC adapter: The J3 charges via a USB cable connected to a computer. However, while plugged in, you can’t use the J3 as it goes into a locked mode. Using the AC adapter will allow charging+playback. Not expensive or a huge deal, but just a small annoyance.

– special USB cable: The USB cable is not one I’ve seen before; and of course not one I have replacements for.

– included earbuds: Ok, the earbuds are just fine soundwise, but once you put the soft covers on them, you can’t tell visually which is the Left or Right earbud. I just scratch the outside of the Left one to tell. Also, I don’t get why one side always has a shorter length than the other.

– slow startup: The startup of the J3 is surprisingly slow, but not something that is a huge deal to me. I’m not impatient.

– doesn’t start music upon startup: Again, not a huge deal, but sometimes I’ll go a few minutes without any music before realizing I need to touch Music, and then Play to get things going. My A3 just starts right into whatever was playing when I turned it off.

– spotty accessories: The Cowon isn’t the biggest player on the market in the States, and as such the ability to score excellent accessories such as a padded case are slim. In fact, I still carry my A3 in a PSP case, which it fits into perfectly! I have yet to find something similarly perfect for the J3. Basically, just a padded sleeve or some sort is fine for me.

– shows fingerprints/scratches: The touchscreen and body show fingerprints easily, and the back metal can scratch easily. The “new” appearance of gear is always a tough mental battle to fight, but it is easiest to just accept that things will get scuffed, rather than fret over it! There are more important things in life to fret over.

adobe 0day banshees flying about

Just a quick mention of new Adobe 0days that are making the rounds. I may not have bothered since details are so few at this time, but the media is all over these two, particularly the Flash issue. Neither are patched, and Adobe has provided scant mitigation details. Probably because most of the suggestions involve crippling their software or using additional/replacement software that essentially says, “don’t use our tech.”

A week ago, Adobe Acrobat/Reader were hit with a 0day being exploited in the wild.

Yesterday, Adobe Flash had a 0day advisory announcement.

I’m pretty tolerant when it comes to security vulnerabilities in software. While I side with those who say we need to build things secure, I just don’t think that is ultimately realistic. I also have at least some proximity to business and software/web development, so I know what often does or does not go into those processes. I can tolerate security vulns if the business plays response really well.

I can even tolerate security being a new thing to a business and them playing catch-up for a while, kinda like Microsoft has done with Windows and Office products. But Adobe doesn’t appear to be improving, in my observations.

The lesson that gets lost in all of this, though, especially with the general computer-using public and media is the problem of feature bloat trumping security concerns. Adobe may take the lumps from the vulnerabilities, but all of this is probably enabled directly by user demand and use of those features. So, thanks for needing/wanting those features and making the rest of us less secure. (The same argument I make about HTML in email. Thanks for that, Marketing…)

offtopic – starcraft 2 on brutal

I just recently beat out the Brutal difficulty level in Starcraft II, so thought I’d just share some tips on the levels I found to be hardest. For better tips, just look up the levels in YouTube for examples of good play. For any player, I’d suggest doing the Normal campaign first, then Hard, then Brutal once you know what you’re doing. If you want multiplayer strategies, I’d highly suggest following Force’s Starcraft 2 Strategy YouTube channel. Have fun!

Outbreak – I found this to be surprisingly difficult. On Brutal, I made 3 bunkers at each entrance, manned mostly with marines and marauders. I didn’t do much with hellions. It helps to focus fire aberrations and the shooting infected. I didn’t bother with the expansion and it helps to wipe out one whole section (I did top) to basically relieve that entrance defense. Return to base with at least 30 seconds of daytime left.

Welcome to the Jungle – The mission wants you to use Goliaths, but they’re just too weak. I had problems early on here, even in Hard! But this mission is actually very easy if you just build up a Marine-Marauder-Medic ball (about 4 marines to 1 medic to 1 marauder) with upgrades and just hop from protoss force to protoss force. Rather than mine any gas yourself, just wipe the protoss off the map and you’re free to do whatever. (There’s even a feat of strength achievement for that.)

The Great Train Robbery – The key here is to build a second Factory and simply pump out Razorbacks along with some marine-medic support. Roam around and kill bunkers when they start getting placed. This is easy once your know what to expect.

In Utter Darkness – A fun mission, but my least favorite to complete and one of the 3 hardest ones. Open with 10 more probes rallied to your minerals, a dark shrine, 2x gateways, and a starport. Then wall off the top entrance with another gateway, and plug the holes with zealots on Hold. From there, start producing (preferably with warp gates) Dark Templar, while using your force and the DTs to beat back the first 3 waves (done right, you won’t lose anything but a phoenix or two). From there, you should have enough time to make enough DTs to do a Hold wall on each entrance. If you get to that point, the rest is easy. Switch to building Void Rays, and use your voids/phoenix to focus fire any Overseers (detectors); basically poke at any approaching waves, kill any detectors, then get out before they reveal and kill your DTs. Pepper your base with cannons using all extra minerals, get air upgrades, and when you can, transition into building carriers. At about 1500-1800 kills you’ll likely need to fall back to the high ground, and the kills will start to rack up quickly. Don’t make a single other ground unit besides DTs enough to make full walls. After the first 3-4 waves, whatever ground forces you have are inconsequential anyway as long as your DT walls hold.

Supernova – One of the 3 hardest Brutal missions. I cheesed this one, though I didn’t want to. I got my CC into the far right-middle of the map along with some repairing SCVs and about 12 Banshees. I then waited until the last few moments to slide up and destroy the artifact. I really always had trouble with these missions with soft or hard timers on brutal. I’ve heard doing this mission when you have Thors makes for an easy win.

Engine of Destruction – One of the 3 hardest Brutal missions.This mission is a breeze if you have Banshees and Vikings unlocked (I didn’t so I had to actually start over; Wraiths are too weak). Build a bunker and siege tank (in siege mode) as your defense in the north. Build a second starport and start pumping out Banshees and later Vikings. Use the initial Wraiths to soften the first 3 bases. Kill Medivacs, Siege Tanks, Battlecruisers, the lone Raven in base 2, and if time permits, Bunkers and Razorbacks. Rally your Banshees north of your bunker as none of the attacks feature anti-air units. If you get past the third base, the rest is downhill from there; just keep making air units. I’d suggest squeezing in an Armory and air upgrades as well, and maybe take over the geysers left behind in the second base. A few Science Vessels are nice, and keep SCVs near the Odin to repair him if he gets into trouble (beware, in Brutal the AI will target repairing units!). Later you’ll be attacked from the south after base 4, but either ignore it or mop up with your air. For my winning playthru, on base 5 the Odin actually got down to 24 hp. Close call!

Maw of the Void – This took me several tries, but my key was to get an Armory early and start warming up air upgrades. Later on the Protoss will be 3/3 and your battlecruisers need to match that. Use the DTs you free to soften the bases up and for sure to take out the last northern and southern generators using some kamikaze-like runs; done right you’ll have just enough alive to get both down. If the mothership vortexes half your fleet, send the rest in and wait it out. You shouldn’t lose a single BC, until the last pushes, with proper repairing and a few support Science Vessels. When not attacking, put them in the middle of the map to cut off any protoss transports or attack waves. Same with DTs (but watch out for attacks with Observers). Be sure not to go too slowly; the protoss can win this through attrition as there just aren’t all that many resources when you have a BC fleet.

All In – I pulled back my defense and built 3 bunkers on each approach. While garrisoning them up, build all Siege Tanks and Banshees. The tanks are for defense on both sides and along the artifact cliff base (just keep building until you have a screen-full! The Banshees are to be sent out en force to kill Nydus Worms while cloaked and add firepower against Kerrigan. I helped my base defense with a line of southeast turrets as well, for the Overlord swarm. To save the artifact later on, build a bunker near it, put some marines in it, and then cover the rest of the artifact plateau with Perdition Turrets.

A Sinister Turn – Get the Robo bay early with a pylon as far back as you can get it. As long as you don’t draw attention to it, it won’t get attacked. Just build Immortals with a few Zealots and Stalkers and you’ll find this easy. Immortals pwn Maar and anything else here. Stalkers start with Blink, so it really helps to Blink them away from Maar after absorbing a few hits. Micro-management of forces really helps on this map.

The Dig – There are three keys here. First, get a defense up early because the first few waves can wipe you out. Even bounce your ground force back and forth until you have enough units. Second, rather than bother with the expansion to the south and moving your bunkers north of it, just bunker the ramp to your base. If you need it later, you can salvage the bunkers. Third, make constant use of the drill to take out Colossus (they give sight to high ground which is killer), High Templar (Psionic Storm destroys tank clusters), Immortals, Archons, and Void Rays when they show up. Queue up multiple targets with the drill to give you more time to develop the rest of our economy and defense. Favor marines and place a few extra turrets for the air waves.

Really, for every other mission, the typical MMM-ball works wonders.