finding a quick and accurate state of security

Those who have done security consulting or auditing will probably answer this question far better and quicker than I. In fact, I bet there are checklists available that I could grab in minutes to answer this. Maybe I’ll check for some after posting…

Nonetheless, I decided to do a thought exercise with myself: What would you look at or do to discover the biggest information security issues in a corporate environment in a quick amount of time? It’s one thing to be on a job for a year and ferret out all the dark secrets, snowflake servers, and weak adherence to policy. It’s another thing to take a job interview or day-long interview with someone(s) about security posture (and more than likely get told what sounds good and correct).

But what would one look for to get a quick, accurate, and fairly wholistic look at the state of security, and thus formulate some findings and courses of action to tackle them? And I’m not going to take the easy route (necessarily) and list off the CIS Top 20 Controls, even though they’re a good place to orient the evaluating of an environment. I also want to avoid questions that few people can answer easily or are easy softballs, like knowing what data is on all mobile devices that might go missing, or that encryption is employed on all mobile devices.

1. Interview the technical people in the trenches. Ask them what the biggest security problems are. Not all of them will care about security or have any thoughts beyond their own job, and some will not be very open in group settings or with a manager present, but I have long been of the opinion that people in the trenches have a finger closer to the pulse than most management will care to admit. Find the subset of IT geeks that have security opinions, invite them to dinner and some beers/wines, and ask the questions.

2. Internal authenticated vulnerability scan that covers at least 50% of the environment and at least a sampling of every major Operating System (including workstations). There are some main goals here, such as seeing patch level and consistency, and configuration consistency in the environment.

3. Scan and analyze health of Active Directory. This includes not just looking at the objects, but permissions with a Bloodhound scan of AD.

4. Inventory scan of local administrative access (or equivalent) on all Operating Systems.

5. Percentage of confidence in these systems being accurate and complete: hardware inventory, software inventory, network and business systems diagrams.

6. The state of policies and supporting procedures documents relating to technical security controls. This is not talking about an Acceptable Use Policy for end-users or high level policy statements, but how detailed and easy these are to find and consume.

7. Describe the security awareness training offerings for internal employees.

8. Analyze network firewall policies/configurations. For this, I am looking at how organized the rules are, how tight they are, and how documented they are. What is the process to change them?

9. What are the next 5 projects related to security initiatives? If none, how many security employees are there? Basically, if someone doesn’t have security projects, perhaps they are in a mature mode with existing staff. If neither really exist beyond reaching for strange ideas that probably aren’t approved or backed by management, there probably is not much security emphasis, if any at all.

inventory is your bedrock to build everything else on top of

(This is an incomplete draft I’ve had for a while now. I don’t think I’ll ever complete it, but I didn’t want to lose it or keep it as a draft, so here it is.)

Daniel Miessler has a great article up: “If You’re Not Doing Continuous Asset Management You’re Not Doing Security.” You honestly cannot dislike that title, and the article itself is full of the points enlightened security folk should already have in their heads.

There’s a reason the top 2 controls in the CIS Top 20 Critical Security Controls are all about inventory. It drives every other thing you do in security, and without it, you’re managing by belief and never really sure if you’re being effective or not.

There are many different ways to tackle inventory, but here are some of the common ones:

  • workstation-class devices – This is usually one of the easiest to handle, since the team responsible for workstation procurement likely has an inventory of what they have in order to please customers. Being able to tap into this inventory list, or at the very least view it, is essential. For instance, how do you know you have Antivirus or endpoint protection on every workstation? You have to true that up with the inventory list. Think about the question, “How would I know something is missing security control XYZ?”
  • mobile devices (on your network and/or company-owned) –
  • servers – Typically, one team manages workstations and another team manages the servers. This team should have a handle on some beginnings of an inventory system due to licensing needs, storage/compute resource needs, and other OS-specific collections such as Active Directory or patching coverage. But the same question applies herre, “How would I know something got missed in inventory?” Or in the case of a largely Windows environment, “How do I find a new non-Windows assets that is stood up without notice?”
  • networking assets – This could include diagrams of the networks, both logical and physical when needed, for both wireless and wired networks. If the networking team manages it, it should be in this group.
  • all other network devices – This covers all the other things not nicely slotted into the above categories, like appliances or IOT. This also covers unauthorized device discovery. Essentially, if something is on the network, it needs to be found and known.
  • the cloud – The cloud is often a different beast, especially when consumed dynamically with assets coming on and off as demand moves. Worst case, you go through all other steps above over again with “cloud” in the front of it.
  • internal information systems/sites – This is about knowing the information systems that your business and users consume, which often comes in the form of internal websites, but could be other tools and systems. Largely this is defined by things that store/handle data.
  • software and applications – A huge endeavor on its own, but nonetheless important to know the software and applications in use and needed (and hopefully approved and tracked).
  • external attack surface/footprint – This is what attacks can see and will target; high risk and high priority assets and paths into the organization. This isn’t just Internet-borne, either, but could come in through other weak links such as wireless networks or VPN tunnels.
  • vendors – A good risk management program will have an inventory of all official vendors, which will fuel risk reviews and inform security of what is normal.
  • third-party services hosted elsewhere – What services does the business and its users consume that you don’t strongly control? This likely will still impact account management and permissions, data tracking, and evaluation of those services since you have some measure of intrinsic trust in them which is a potential risk for you.
  • critical business systems – This could be considered a little advanced, but it’s about knowing what’s really important to the business, which informs risk priorities, spending, and other activities like BCP/DR.
  • data/critical data – You can’t secure data if you don’t know where it is, and have some idea on what data is more important than others. Yes, this one is difficult outside of narrow compliance definitions (aka all data vs just credit card data). Honestly, this bullet item should be a top level category in itself.
  • authentication stores – This is about knowing what accounts you have, where they authenticate against (are stored), and what your users and systems actually use to do things.

There are different methods to find this out:

  • process/documenting – This is the default method shops will use to track inventory. If someone stands up a new box on the network, they update some inventory sheet or make sure they follow some checklist to include the new asset in something else (adding it to monitoring, patching, or joining a domain). This is a trust exercise, as you need to trust that every team member follows the process and every process is all-encompassing. This includes decommissioning assets as well. This should also include the assignment of ownership: who in the company is ultimately responsible for this asset?.
  • active/finding – Most of the time, security should assume the worst (trust, but verify), which would be finding assets that are weird exceptions or just get missed in the normal process. Active inventorying means looking out onto the network and scanning it, finding assets, identifying them, and pulling them back into visibility/compliance. The opposite is true as well, you want to find assets that aren’t meant to be there!
  • passive/watching – There are also passive techniques to find devices, such as watching all network traffic or alerting (and even blocking) unauthorized assets from accessing the network. This is still a fallible control, but it is part of the puzzle of knowing what is on a network.

There are a few caveats to the above. First, it’s not 100%; there may be a “bump-in-the-wire” or other passive device on the network (think a network tap just collecting data). There are also device peripherals (mice, keyboards, headsets, readers of various types…) Tackling this is a bit advanced. Second, especially with the active methods, this needs to be done continuously, or the controls need to be continuously active. If you do active scans once a day, an attacker or insider could still turn on a device, do whatever, and turn it off in time for the next scan. Handling these windows is why we practice continuous improvement and defense in depth and why we map out maturity plans.

And Miessler includes 5 questions that drive the measurement of a security teams based on how they answer them:

  1. What’s currently facing the Internet?
  2. How many total systems do you have?
  3. Where is your data?
  4. How many vendors do you have?
  5. Which vendors have what kind of your data?

consuming infosec news and social commentary

(This is just me publishing an incomplete post from the past.)

How do I consume and keep up with infosec news?

Twitter is an always-running stream of water. You walk up to it when you’re thirsty, take a drink, and then walk away. You don’t try to catch everything that falls through while you walked away.

Those of us who grew up with IRC don’t find that a weird or foreign concept, since it often operates the same. You walk away from IRC for a day, and then come back, but you don’t typically try to read the entire buffer of any busy chat. You look for a few topics of interest, perhaps, or highlighted key words, but otherwise you just sit back down, read a screen or two up, and plug yourself into the conversation as is. Busy Discords can work this same way when conversations are not split up into multiple channels.

Pet peeve: Breaking topics into too many channels too quickly. This setup works for very busy forums or messenger/chat locations. But it kills momentum for anything not super large. It splinters discussions down from a healthy rate to a trickle that won’t keep anyone engaged for long. It also requires its users to keep clicking through various channels for any chance to keep up with conversations. I think what happens is new Discords/Slacks/Forums see how the big established ones do it, and they try to emulate that structure immediately. But that doesn’t work in the end. You need traffic first before justifying the splintering. (As someone who has lived 90% of my adult life in some form of online community, and as someone who has run several of them years ago, I have plenty of opinions on this topic…)

music to learn and hack to

(publishing an old “incomplete thoughts” draft) We all have a preferred environment and/or music we prefer to hack and learn and work in. Most recently, I spent much time at home practicing and learning in the PWK/OSCP labs and exam, and often to a background of music. I thought I would share some of my interests in this regard. If you read nothing else here, at least go give SomaFM a listen, particularly their DefCon Hacker Radio and Groove Salad stations. I’ve been a regular listener of Groove Salad since around 2003, and it’s absolutely excellent.

When I’m heads-down doing something, most of the time I’m probably listening to one of four types of music.

The most common for me is “chill out” music, largely electronic, but could also be acoustic or traditional. This largely stems from enjoying new age music from the 80s/90s, which then expended into electronic music through the late 90s and on (think Enigma and Kitaro transitioning into Underworld and Sasha). Unless I’m listening to my own stuff, this is where I’ll tune into Groove Salad on SomaFM. I don’t remember how I found the station or why or what led me there, but it definitely solidified “chill out” as a thing that I totally dig. (And I totally geeked out when BackTrack used to include a SomaFM bookmark in their default browser!)

I’ll also enjoy other electronic music, but if it has more intensity or a beat to it, I don’t include it into the chill category, and instead gets lumped all together into my general electronic folder. This encompasses anything from classic trance, goa/psytrance, dubstep, edm, and so on. I tend to stick to my own collection when listening to this, but might queue up a large set of stuff on YouTube, or use SoundCloud to listen to some sets or DJs, or maybe Pandora, or Digitally Imported feeds on TuneIn Radio.

Sometimes, I’m in a really heads-down mood or just want something less electronic, and I’ll turn to either normal classical music, or something less orchestral like cello, guitar, or piano artists doing their own thing. Most of the time when I listen to this, I’m firing up TuneIn Radio and just listening to the Iowa Public Radio Classical station. No ads, decent quality, good variety. Failing that, there’s tons of long collections on YouTube to listen to.

Lastly, I’ve also always enjoyed hard rock which borders into metal, but never really metal. I tend to be pretty picky when it comes to this (Metallica, Tool, White Zombie which betrays my age…), but more lately I’ve gotten into symphonic metal bands. I still have plenty of things I consider to be “harder” rock music (basically anything more intense than “pop” music), and sometimes that’s my mood.

common guides to pen test pivoting and tunneling (or tunnelling)

Tunneling and pivoting through a network can be a slightly mind-bending experience at first. I did plenty of this during my time in the PWK labs, and the guide, Explore Hidden Networks With Double Pivoting, proved to be very useful. Likewise, A Red Teamer’s guide to pivoting, looks like an excellent resource, largely if you have root access already and need a better way to get back out. (Edited to add this new one:

As a bonus, the second link also includes some shell upgrading techniques at the end.

Other links:

For my time in the labs, I started out using single hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@ -L 81:

Later on, I learned to do more dynamic SSH forwards with proxychains:


I used a dynamic ssh tunnel via John:
ssh -f -N -D j0hn@ -p 22000
Tested with :
proxychains nmap -sT -Pn

ssh -f -N -D sean@
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D root@ -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@ ssh -t -D 8157 mario@ -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 8080

the oscp cocktail, preparing the pwk

A while back I earned my OSCP. I have written my reviews of it in two parts, once just on the logistics of my course experience, and another with advice to others. I often see requests on what to do to prepare for the OSCP or what it takes to earn it, and I have a saved response that I often give out to those learners. And I realized I’ve never really put it down here on my blog in complete format (a large chunk of it comes from the aforementioned advice post). So, here it is in entirety: my advice to people with the question, “Am I ready for the OSCP?” (A.K.A., part 3 of my OSCP series…)

Let’s first take a step back and ask this question: “What do you hope to get out of the OSCP experience?” In other words, “What is your purpose?”   

There are two main goals for the OSCP, though one really overshadows the other. First, the OSCP cert will open doors to pen testing and other security jobs; it’s a way to confer some immediate credibility amongst those who know what the cert is about. Secondly, and most importantly, the cert and lab are ways to teach pen testing methodology and frame of mind; how attackers work. It’s not about pwning more systems, or getting another add on the resume/CV; it’s about learning how to think like an attacker and efficiently evaluate systems and provide value for customers and admins.  

My OSCP prep advice is pretty much always the same, and yet it depends on what every student brings to the table. For me, if I were making an OSCP cocktail: 

  • 1 part Windows admin – know how to turn services on and off, add users, change passwords, browse through cmd and windows explorer, RDP, etc.
  • 1 part Linux experience – Know how to move around directories, read files, create files, use a text editor, create users, change passwords (linux essentials or linux+ prep courses will help)
  • 1 part LAN networking – TCP/IP knowledge, ports, arp, wireshark/tcpdump familiarity, firewalls (host and network), dns
  • 1 part security knowledge – general attack classes, goals, major OS vulns over the past 20 years; a pen test course or book works
  • 1/2 part Kali experience – poke around it a bit, experience installing it, logging in, location of some tools and the interface
  • 1/2 part Metasploit knowledge – have used it a bit, run through the free Metasploit Unleashed course
  • 1/2 part web server/client knowledge – nice to have hosted anything with apache/iis in the past and understand config files, ports, php/javascript a little, client vs server-side processing, dash of SQL syntax
  • 1 part coding/scripting logic/basics – if you can make a bash/perl/powershell/c/python script or have coded in the past enough to read and minorly edit script/code chunks, you should be good to start; nothing amazing
  • Sprinkle of efficient Google searching ability 

Bring all of that or more to the table, and you’re set to be slammed in the face with the course material and then hit the ground running in the labs.  

Keep in mind, the course is an entry into pen testing; it’s not a requirement to have popped root shells in the past. The course will grab your hand and start you off the on the path. 

If you want the best example of what you’re in for, go to cybrary and have a perusal at Georgia Weidman’s Advanced Penetration Testing course. It’s free, and will be the closest and quickest way to see what you’re in for. Vulnhubs and hackthebox are fine for practice and to understand the process of enumeration, but they’re not necessary at all. 

Google for OSCP reviews. They are full of suggestions and resources, and usually give a great idea of what the course and exam experiences will be. Don’t over-mystify the course or exam, and thus, don’t over-prepare! Dive in and get on it. 

Try to become familiar with the Kali Linux and the tools it has and the layout. This will be your home base for the course, and has pretty much everything you’ll need.

For those newer to Linux, start using a distro on a day-to-day system and find some online courses on Linux security and administration and shell scripting/commands. Linux+/LPIC-1 level skills are good, anything beyond is great. Also suggest a Bash Shell/Scripting primer.

For those newer to Windows, find some courses on Windows security and OS administration. This includes hosting server-type applications (e.g. web platforms).

Learn some Metasploit. It’s worth it and it’ll get used, whether in the course or beyond as a pen tester. Off Sec has a free Metasploit Unleashed course.

Learn some basic, free, staple tools and get comfortable with working various switches: nmap, unicornscan, curl. Google the top 100 security tools and at least know what you could use each one for. You don’t need to wield/install each one, but feel free to try any out.

To get familiar with some of the big security issues over the past 15 years, grab a copy of Hacking Exposed (McClure, Scambray, Kurtz).

For pen testing theory, check Penetration Testing: A Hands-On Introduction to Hacking (Weidman) or the slightly more up-to-date The Hacker’s Playbook 2 (Kim). The Hacker’s Playbook 3 is even more updated!

Have a decent enough grasp of networking to know how TCP/IP works in general, use and read some Wireshark/tcpdump output, and understand IP addressing, firewalls, and ports.

Have a decent grasp of how web technology works, from configuring web servers, looking at simple HTML/PHP/ASP code, simple SQL queries, and how browsers interact with the web server.

Install some security-related browser add-ons and poke around the Developer tools in place in every major browser these days (F12).

Dive into Python or Perl enough to get into Socket or web request programming. Very useful to start swimming in the ocean of editing or making exploit code or enumeration scripts. Having had a course or class in basic programming is great, as you can start to consume any language if you know the logic. (This is not necessary, but very nice!)

Start thinking like an attacker. This often comes with experience, but start thinking of ways you can get to Goal X or Access Y. What mistakes do you look for? What isn’t default?

Lastly, know that OSCP/PWK comes with course materials and videos that teach you everything you need. So don’t think you are going into this being tested from day 1 and spend 2 years trying to prepare for something that is meant to teach you new skills in the first place. You’re going to be learning from day 1 until day X.

So, what can you do to practice, if that’s what you feel you need to do? Download and install a Kali VM. Join Hackthebox (HTB). Watch Ippsec YouTube videos on retired HTB boxes and follow along. Download VMs from vulnhub and follow walkthrus on those boxes. Read OSCP reviews for more viewpoints. Pwn and have fun!

passed ccsk

In mid-August, I continued my studies into cloud security by tackling the Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) v4 (2017). This is a vendor-agnostic certification based around guidance documentation for cloud security topics (commissioned from Securosis, by looking at the author list). This is a really good treatment of cloud security, with heavy applicability to pretty much everything other than procedures on how to actually do the things in various services.

Logistics. The cost is about $400 and comes with 2 attempts to take the 90 minute 60 question exam. The exam itself is mostly multiple choice with some true/false questions thrown in. Passing is 80%. The exam is also available online, so you can not only take it at home any time you want, but it is also an open book exam. The study materials are really threefold. About 87% of the exam is taken from the CSA Security Guidance v4 (2017) which is 152 pages long. The rest of the exam is pulled from the CSA Cloud Controls Matrix (a spreadsheet of controls) and the ENISA Cloud Computing Recommendations (~150 pages). If you’re absolutely crunched for time, I think a student could be fine just being aware of the ENISA and Controls documents. Though, honestly, they’re really good materials to consume, exam or not. Oh, also they’re all free to download past a register-wall you can fake out.

Exam Details. The exam questions from the ENISA and Cloud Controls Matrix materials are actually labeled to say they refer to those materials, so you don’t really have to guess. I had some questions with those dreaded “A and C” or “A and B” answers. I would also say that about half of the questions I could do a Find on the materials relatively easily, and less than half the questions were much harder to do that. It definitely helps to know the general format of the main document and where answers will come from and I found it pretty clear most of the time which domain a question came from. The only overlapping domains that get a little confusing are the Management Plane and Infrastructure Security domains. I ended up using 86 of the 90 minutes on my first pass through the questions, with an answer for every one. I then spent all but 20 seconds of the remaining time reviewing 6-8 questions I had marked for review. You do not get to see the answers after you finish, but you get an extensive breakdown on how you did on the 14 domains and 2 additional materials.

Realistic Expectations. I think someone with 1-2 years of cloud experience will still find something to learn through the exam. Someone with 2+ years of general infrastructure IT or IT security should be able to follow along pretty easily as well, and learn a lot about cloud computing considerations. This isn’t some crazy difficult senior level type of certification, but it’s also not a push-over either. I think it’s really the price tag that keeps it from being something you just do to pocket it, and you only do it when you actually want/need it. I think anyone working in cloud security or even engineering/architect should honestly have this cert unless their experience level is already beyond it. There is also training offered, but I honestly am not sure it would be necessary unless someone is new to IT.

My results. I have a long background in IT solutions and systems and security (15+ years), which means the material felt very comfortable to consume and made for easy (if dry in some sections) reading. My cloud experience is minimal, but growing right now (I passed the AWS Cloud Practitioner certification about 2 weeks before this one). When I sat to use my first attempt on this material, I did so not really being confident that I would pass, but wanting to see what the exam was like and what my gaps were. I typically have 2 desktop systems at my desk (3 monitors total) and I can set up another dual-monitor laptop when needed, which I did for this. Doing so allowed me to have all three documents up while also having the exam front and center. This let me look things up very nicely. I also had some somafm going on in the background as my preferred mood music. I felt good going through my first attempt, and was surprised by passing on that first try quite comfortably. I will say if I hadn’t been able to look up answers, I don’t think I would have passed this as the questions really do get a bit tricky. That said, the material along is well worth the time spend to read and reference as you or your organization make moves into modern cloud services.