January 31

From Defcon to Schmoocon: Where Will Your Travels Take You?

As the first month of the year comes to a close it is time for those of us in the IT Security field to decide what we will do to fulfill our CPEs for the certifications we hold.   This is exciting because it means that it is time to start considering which conferences you plan to attend this year.  It’s not too early to start planning, since getting time off and applying for possible company reimbursement can take time and need to be planned well in advance.

If you were planning on going to SchmooCon, it is too late since that just happened last month.  However, there are plenty of others coming down the pipe.  The conference likely to be most noted, most well-attended, and potentially most fun this year, as every year, is Defcon.  Defcon was a blast last year when it marked twenty-two years since its inception, a fact that makes me and many hackers feel old.  Last year was also the final year for this conference to be held at the famed Rio Hotel and Casino, a blessing in disguise as it has clearly outgrown the facility.  This year and, according to the website (https://www.defcon.org), for several years to come, the conference will be hosted by both The Paris and Bally’s Casino and Hotel, right there on the luxurious Las Vegas strip. These double locations should provide the conference with ample space to serve attendee needs.  If you can only go to one conference this year I would recommend Defcon.  Tickets cannot be purchased in advance but were only $220 cash at the door last year.  You can, however, book your room with a special discount as of this week.  If you want to stay at Bally’s or Paris and be right in the thick of it, it would behoove you to book your room now.

There are plenty of other conferences that happen later this year.  Just before DefCon is Blackhat (https://www.blackhat.com), which is very expensive.  Therefore, many people only go if their employer foots the bill.  If they will pay I recommend this conference as it has many interesting talks and is a bit more professional and organized than Defcon has been in the past.  This does not necessarily mean it is more fun, but if you are able to get company cost coverage why not spend an entire week in Vegas and attend both conferences?  There is also the B-Sides Las Vegas Conference (http://www.securitybsides.com/w/page/12194156/FrontPage), which takes place just before Blackhat.  You could easily spend a week and a half in Vegas attending these three conferences.  B-Sides also has a plethora of other conferences all over the US and Europe, these are listed on their website.

DerbyCon (https://www.derbycon.com/) takes place this September (according to the website tickets may already be sold out).  There are several good conferences that take place in Europe as well.  In Amsterdam there is the Hack-in-the-Box (http://www.hitb.org/) conference that has not been officially announced yet but often has some really great speakers, and the fact that it is in Amsterdam is a bonus.  One last conference that has been popular in the past and as I have been told by some that have attended is a very fun experience is the Chaos Computer Club (CCC) Congress (http://www.ccc.de/en/). This takes place in Koln (Cologne, for Americans) Germany and is one of the things on my bucket list.

The conferences I have mentioned are not even the tip of the iceberg, there are hundreds of choices all over the world.  There may even be one in your local area that does not necessitate travel and an expense account.  This site (http://www.concise-courses.com/security/conferences-of-2015/) has a fairly comprehensive listing of conferences. There are different conferences that cater to professionals of every specialty.  Take a look at the list, decide where you want to go this year, and start making your plans.  If you are looking to get your company to send you it would be a good idea to start asking now.   We all know how slow corporate bureaucracy can be, better start those wheels turning now so you don’t miss the boat.

January 24

Hacking Without Breaking the Law

After four years in a university exploring the academic side of offensive security, I have come to realize that no amount of theoretical knowledge can be considered a substitute for real world, practical experience.  I have had the undeniable advantage of working in the field for a number of years gaining a considerable amount of such experience, but the most useful practice I have gotten has been from another source altogether.  Best of all, this experience was both free and legal.

Most of the tools that professional offensive security practitioners use are free, and the majority of the most popular ones come in a free Linux distribution called Kali Linux (https://www.kali.org/downloads/).  Armed with a virtualization client, such as the free VirtualBox (https://www.virtualbox.org/) and some spare time to explore, there is a lot of practice available.

If you are just getting started, there are hundreds of options out there.  All of them will help aspiring offensive security practitioners, penetration testers, and hackers improve their skills.  A great tool to start with is provided by Rapid7, the owners of Metasploit, (arguably one of the greatest hacking tools in existence).  This tool is designed specifically to teach beginners how to perform a plethora of hacking exercises using Metasploit.  The Metasploitable 2 VM can be downloaded from https://information.rapid7.com/metasploitable-download.html.  Metasploit itself can be downloaded from the same site but is included as part of the Kali Linux distribution.

A couple of weeks ago I decided to undertake the “Brainpan 2” hackable VM challenge.  This is one of many virtual machines that are out there to help offensive security professionals and enthusiasts to hone their skills and get practical experience in a lab environment.  In general it was an educational system to work with.  It was enjoyable to hack into and challenging to find ways around the security.  This is more of an intermediate VM.  If you are interested in giving it a shot yourself you can access it and a ton of other great vulnerable VMs here: https://www.vulnhub.com/.  Vulnhub.com offers new VMs on a regular basis ranging in difficulty from beginner to expert.  Some even offer prizes for solving them first or in a new and interesting way.

Further hacking experiments are available elsewhere.  If you prefer not to install VMs, just install Kali Linux (available at https://www.kali.org/downloads/). Then, go to one of a large selection of websites that were designed to be hacked.  These websites are created for just this purpose, so there is no concern about the legality of honing your hacking skills by attempting to break in.  For example, check out https://www.hackthissite.org/ where there is a series of increasingly difficult challenges that teach practical web application hacking.

In short, there is no limit to the opportunities to practice hacking.  Anyone, as long as they have a computer and some time, can use them to their advantage.  If you Google “hack this site” there are over 45 million results and vulnhon.com has hundreds of VMs.  I have been working on these steadily for about six years and am not halfway through all the choices.  However, if you do happen to work through all of these, there are even more VMs on GitHub and a plethora of paid services that provide virtual networks, as well.  So if you are looking to learn how to hack there is no need to spend money or break the law.  Just install some free software and start hacking!

January 19

Think. Pause. Post.

Nye_Not Anonymous Poster

I have these two security awareness posters that I made last week and I thought they deserved to be shared with the world.  The one with the Anonymous logo is in response to a problem that I have seen getting worse and worse and some awareness is in order.  I am posting these with something like a GNU license, they are free to use and post where you wish, just please give credit where credit is due.  If anyone would like the Microsoft Publisher version for better quality, to make changes or just because feel free to shoot me an email (john.r.nye [at] gmail [dot] com), message me on the various social media I am member of or even leave a comment here on my blog.

Nye_Free Wifi Poster

 

January 18

Wetware Security and Compliance

Security Awareness Training, User Education, Information Assurance: all of these are words that many of us don’t like to hear.  Presentations, public speaking, and teaching are concepts that fill us with dread.  These words, in and of themselves, are not terrible or scary.  It is the connotations that have arisen around them over the last decade or more that frighten us.  It is widely accepted and constantly pointed out that the weakest link in any information system regardless of size, complexity or value is the wetware. Wetware is a word that many IT professionals and especially security professionals love to use to describe the people that use the systems they implement, design or protect.

I am still a firm believer that the first person or company that comes up with a truly revolutionary way to deal with this problem, short of Bender from Futurama’s answer, “Kill all humans,” will be the next Google or Microsoft.  The information security industry has been fighting for years to come up with a good method of training users and protecting their systems from the mistakes that people make.  Unfortunately for all the users that have been subjected to these attempts, and those who developed them, they don’t work that well.

A good place to start in fixing this problem is an examination of why these techniques don’t work.  First, I want to be completely clear.  I am not saying that the methods being spoken of have no impact at all.  I am sure than many, if not all, can be shown to reduce breaches through the human element in some statistical manner.  What I am saying is that, regardless of the training, compliance and technical controls that are put in place, wetware is still by far the least secure part of any information system.

These programs are often developed by security professionals.  As a group, these professionals tend to have trouble explaining the technical aspects of their jobs to the non-technical users.  This lack of effective communication prevents users from fully understanding the importance of what the programs are trying to accomplish and what they will gain out of paying attention.  Another reason that much of this education and training fails is because the typical users, at least the vast majority, don’t particularly care about security or technical details.  They just want to get their job done so they can do whatever it is they do when they are not at work.

While the above list of problems is far from comprehensive, it is a starting point for a much-needed conversation among security professionals attempting to surmount these obstacles in the workplace.  Maybe we, as security professionals, should consider the benefits of working with professional educators, professional presenters, professional performers, and others of that ilk, to develop training and presentations that are accessible, entertaining, and relevant to users by addressing concerns about presenter comprehensibility, effectiveness, and audience awareness.  Then we would be more able to address their personal concerns by showing how they can protect their own money, families, data and anything else they may actually care about.  If we can create training programs that serve as an overall catalyst to user interest in security procedures on a personal level, that may be enough to carry over into the workplace.

The human element is always the most penetrable part of any system, but it is up to us as security professionals to shore up our weakest points as best we can.  I hope this post goes some way towards provoking discussion about the measures best suited to bridging the gap between “that annoying IT guy who keeps asking me to retrain on security compliance” and the users who need this training to protect themselves and company information.

January 11

Policing Policy

This week in one of my classes we have been discussing policies and policy development.  This is a topic that none of us in IT love to discuss let alone engage in as participants in development.  This is the trend as I have seen it.  Policies may not be fun, but anyone in IT will tell you that if they are well written and executed properly then they are one of the more powerful tools in available to us as security professionals.

I spent some time in Internal Audit as an IT Security Auditor.  During this time every single audit I was part of started in the same way.  We would gather all organizational policies related to the department, function, or system that was to be reviewed.  Then we would search for the industry best practices, sample policies, and compliance standards that were similar.  We would then compare the internal document to the best practices documentation.  Inevitably, the standards and the best practices documentation would match up incredibly well.  Every audit I worked on was well written, thorough, and surprisingly similar to what we found on the SANS website, SOX compliance or some other applicable best practice.

The problem in almost every case came after this part.  Just having a really good policy does not equate to a passing audit.  In fact, those that had the most picture perfect polices tended to fare the worst when we began to investigate their practices.  I, like many probably do, find that the best practices and example policies are useful resources.  Unfortunately, a good policy needs to go beyond best practices and instead reflect the actual practices.  The poor auditees in these cases would have fared a lot better to have a policy that was not exactly up to industry standards, but instead matches the real-life practices that were.  (The poor auditees in these cases would have done better to align their policies with and planning processes with a realistic assessment of their current status, rather than attempting to engage in policies that are considered appropriate for organizations or departments operating at top efficiency.)

I am not saying that policies are a bad thing, I think they are one of the best, and least costly, tools that IT and executives have at their disposal to protect their organizations.  I am saying that these tools need to be forged for the use they were intended.  SANS has some great policies templates, and compliance is not something that we really have a choice about.  However, polices need to be developed for the organization and purpose for which they were created, not to have a pretty document that could never actually be put into action.  Instead follow best practices for policies, start where you are and review and update polices to work your way incrementally toward best practices.

January 4

Leader of the Pack or Chasing Your Own Tail?

I have been thinking for two weeks about what to cover in this first post of 2015.  I have read dozens of other blogs and articles online that talk about the problems organizations have had in 2014, and the revelations regarding what law enforcement and other three letter agencies have been doing to our privacy.  There are several about the issues we in computer security can expect to face in the new year.  Rather than rehash the problems of the past or attempt to predict future trouble, I prefer to focus on positive changes I hope to see in the sector in the next year.

As we roll into 2015, which by the way is the year that Marty McFly time-traveled to in Back to the Future 2, we may not be dressing in what the 1980s writers and costume designers envisioned: a cross between cyberpunk and raver style.  However, one fact is unavoidable: the environment of the cyber security sector has changed as dramatically as those fashions, and we must keep up with the times.  It is time for those that work on the defensive side of security to stop thinking like law enforcement and start thinking a little more like the criminals do.  We have reached an age in which the layered security that was so important a few years ago is about as effective as a castle moat would have been during the Second World War.  Criminals are not concerned with how much money your organization has spent on fancy defenses or how much harm it will do to your organization to be breached.  They only care about what they stand to gain from stealing your data.

The future may not have been right but this is our past.The future may not have been right but this is our past.

The best detectives and profilers in law enforcement do not spend their days following regimented procedures.  They think outside the box and are not afraid to put themselves inside the minds of the criminals they are looking for.  I work in the offensive side of security where it is our job to think like the bad guys, but in big corporations we still find ourselves being stymied by outdated policies and obsolete ways of thinking.  I hope that 2015 will be the year that organizations that are serious about their security will be willing to let the security teams do what it takes to stop the bad actors.  It is time to stop drawing lines on what we are “allowed” to do and start letting us find the breach points before the bad guys.  It is time for us to be ahead of the game instead of spending our days, (and nights) playing catch-up.

In order to promote positive changes to the way cyber security teams function, organizations must be willing to allow a greater freedom for cyber security professionals to determine what tactics are necessary to prevent attacks.  These professionals should not be so heavily restricted in their actions that they are prevented from doing their jobs.  For example, penetration testers are frequently prevented from performing a DDOS attack.  Allowing security professionals to use this DDOS attack has the potential to lead to new methods of prevention or, at the least, will prepare the organization for the possibility of an eventual attack using this technique.  Social engineering is an often dismissed tactic, usually avoided because of the likelihood that an organization will fail to pass muster under such scrutiny.  This technique is arguably the most common method of entry used in almost every breach by criminals attempting to gain access to an organization’s data.  Failure to address this area is a failure to give sufficient weight to the necessity for strong cyber security procedures.  Cyber security professionals should be given the freedom to use these and other such techniques to really test the strength of their organization’s security,