February 27

Do Your Job, or the World Will End in Flames

Ironically, just a week after posting my last blog (The Sky is Falling: Maintaining Optimism in the Face of Doomsayers) there was a long form article positing the opposite standpoint on Ars Technica.  The article in question is called “Cybergeddon: Why the Internet could be the next ‘failed state,’” and it discusses at length the report released by Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council of the United States.  Healey’s report details the possible future of the internet.  While Healey is careful to indicate a few bright spots in the future prospects for the evolution of the internet, the overall tone is gloomy.

Healey has performed detailed analyses of trends in internet security which have led him to conclude that the internet as we know it may not survive much longer. While his assumptions and analyses are have merit, I have to at least hope that the future is less bleak than Healey paints it.  People have been prophesizing the end of the internet in one form or another almost since its inception.  While this report has more solid research on which to base its claims than do some other theories on internet apocalypse, it may not be the final word on the subject.

The current status quo of the internet is reasonably relaxed.  We use it almost constantly and feel safe shopping online in relative security, reading our emails without undue worry over who else can see them, and checking Facebook to see what antics our high school friends have gotten up to in the last forty-five minutes.  We spend our days watching YouTube and arguing on Twitter about what color a dress is (Team Blue, all the way).  The World Wide Web that we rely on is fairly safe, just like the neighborhood your parents grew up in.  Sure there are criminals and every week we hear about some major security breach, but generally we are safe if we are smart.  But is all that about to change?  Just as our children have lost the freedom to roam the streets in packs on bicycles that our parents enjoyed, may we be about to lose the freedom to proclaim our allegiance to Team Blue or order our cat food from Amazon without threat of identity theft?

Healey has laid out five possible scenarios which he believes represent the possible future of the internet.  They range from “paradise” where security has gotten so good the only crime online is from the elite hackers of the NSA or nation-state sponsored teams.  Otherwise crime in this projected future is so difficult to achieve on the web that it simply goes away.  The likelihood of this, according to Healey’s report, is very low and I would tend to agree.  The other end of the spectrum is what he called “Cybergeddon,” wherein the state of the web is compared to a failed state in which control of criminal elements is impossible and the internet descends into madness and anarchy, perhaps with flames and hardcore punk in the background.

The Ars Technica article linked above is worth a read, particularly to understand the three remaining projected futures.  Time does not permit me a detailed discussion of all of these, but suffice it to say they cover eventualities that fall somewhere between the aforementioned extremes (continuation of current conditions, segregation of the internet, and a slightly toned down version of Cybergeddon).  You can and should take a look at it for more thorough information.  However, I would like to reiterate my call to optimism.  As a security professional, especially working on the offensive side like the bad guys, I am fully aware that the criminals have more and better ways to breach networks than we have to protect them.  Instead of burying our heads in the sand and bracing for the end of the web as we know it we need to find new ways to fight.  There are endless ways to attack a network, endless ways for bad guys to “think outside the box” and gain access to the money or data that they want.  That means there are at least as many possibilities for protecting the web and the computer systems we have all come to love and rely on.  Instead of accepting that they have the leg up we need to start to break down the rules and walls that are holding the “good guys” back.

We need to fight for our ability to change the face of the war that is taking place right now.  All through history the generals that were willing to break the mold, think outside the box, and even use tactics that were questionable at the time, are the ones that have succeeded over and over again.  We need to fight to convince our clients and employers.  We need to be the ones that have the leg up.  It will require us to work harder, to do things that stodgy businesses will balk at, but it is what will win.  The Fortune 500 Company that refuses to allow a pentesting team to do whatever it takes is going to be the first one to fall to a criminal attack.  Stop putting leashes on the security professionals, stop bowing to pressure and wasting your time duct-taping broken security models.  It is time for us to break the old security models and build new ones with new ideas, then break those with even newer ideas so we can constantly improve.  Constant improvement of security is regularly taught but rarely actually practiced.  It is time to fight, time to break things.  Prevent Cybergeddon.  Do your job.

February 22

The Sky is Falling: Maintaining Optimism in the Face of Doomsayers

This week proved to be highly eventful for the security community.  There have been major announcements and big revelations daily.  This week saw the revelation of the biggest bank heist of all time.  There was the announcement by Kaspersky about the “Equation Group” thought to be the NSAs elite hacker group.  There was even the discovery of some nasty malware that came pre-installed on consumer grade Lenovo computers.  These three announcements alone have been eye-opening for the security world, and there are two very distinct ways of looking at all of this news.  Either we could throw up our hands in despair at the realization that, despite all of our hard work, there is no way to stop these major breaches.  Or, as is hopefully the more common response, we could accept that we have a LOT of work to do and be grateful that there will be no shortage of job opportunities for the foreseeable future.

Personally, I am in the second camp, maintaining my optimism in the face of seemingly unsurmountable odds.  Despite the disheartening news and seeming inadequacy all of the controls we work so hard to enact, there is more we can do.  We have known for a long time that nothing is ever completely secure.  We have known that no amount of education and awareness training will keep users from falling victim to social engineering attacks.  More than all of that we know, as security professionals, that a determined attacker will gain access to their target’s systems eventually if they try hard enough for long enough.  This is not new information, though the amount of breaches being reported on can seem overwhelming.  For my part, I will continue to persevere in my attempts to keep my employers and my clients from being the next to experience a major breach.  With that in mind, I would like to briefly analyze some of the big stories of the week and discuss ways we can mitigate them.

First, the biggest bank heist of all time was announced this week by Kaspersky.  There have been a multitude of articles written about it, and a lot of analysis has been done as well.  One of the better assessments, as usual, was published by Brian Krebs.  He compared the breach to the notion of bleeding to death from a thousand cuts.  That is a perfect analogy.  These attackers strayed from the brash “hit and run” techniques that many of the organized crime related hackers based in Russia have been using for years.  They slowly and quietly infiltrated hundreds of banks.  After gaining access, they did not just steal a large sum of money and run.  Instead they just waited and watched until they understood the day-to-day activities and transactions.  Once they understood these rhythms, they made relatively small and unobtrusive money transfers that did not set off fraud alerts.  Their success with this strategy netted them somewhere around $10 million from hundreds of banks around the world.  This entire process started with phishing emails.  We as security professionals need to figure out new methods to detect this type of activity which gives us plenty of work to do in the near future.

Secondly, and possibly more disturbing, has been the revelations regarding the “Equation Group.”  This groups of highly sophisticated hackers has been able to successfully infiltrate any target.  It is thought that they are actually one of the elite teams that are part of the NSA.  This seems likely as many of the tactics linked to them are very advanced and would likely have required substantial resources only available as part of a state sponsored program.  It is also clear from the report that the activities reported are not very new, many occurred in the last five years.  What we know about are the old techniques.  The latest and best tactics are surely still hidden well from everyone.  The only redeeming portion of this information is that all of these attacks were highly targeted and not likely to spread beyond their targets.  Also, this revelation has provided interesting new techniques for researchers and penetration testers to begin testing and employing.

That last announcement is not terribly surprising.  It has been known for quite some time that many “free” software packages and low-cost computers come jammed with junk ware.  It was only a matter of time until some of that junk crossed the line to full force malware.  We as a community need to take advantage of this news and use it as a learning opportunity.  The public needs to be made aware of these dangers and security companies have an opportunity to begin releasing software that will clean out all of the junk from new systems.  Lenovo is not the only company to fill their computers with advertising to save money.  They are simply the first one that let a piece of malware get included (that we are currently aware of).

So, despite the litany of bad news that has come pouring out lately, we are not out of luck.  We need to keep our heads up and remember why we got into the field to begin with.  There will always be big breaches.  There will always be scary news.  This is not an invitation to start ringing our hands and beating our breasts.  If security were simple and static, we would all be out of work tomorrow.  It is the dynamism of the field, its constant surprises and unlikely quicksand paths that keep our work interesting and challenging.  Rather than bewail our failures, we must use them as opportunities to expand our knowledge and sharpen our creative abilities.  The sky is not falling, Chicken Little.  It will all be okay.

February 13

On the Frontlines with No Armor

Security professionals and researchers operate in a no man’s land between ethical websites and their shadier counterparts.  In the dark alleys and back streets of the internet we are able to discover the tactics and trends that are informing the actions of the attackers we spend our days combating.  But what if the very act of gathering intelligence for this battle were considered a crime by those you were trying to protect?  Unfortunately, it is.  Simply by doing the necessary research to competently perform your job, you risk being placed on a variety of government lists of potentially dangerous persons.  Sometimes you may risk more than that.  Events over the last few years have proven that the chances you will be arrested for doing your job are higher than we might like to think about.

This week there has been some controversy on the web regarding passwords.  Despite this sudden spike in conversation on the topic, passwords have actually been a point of contention in the IT Security community for some time.  The current controversy spawned from the actions of a security researcher by the name of Mark Burnett who writes a blog on Xato.com.  Burnett risked incarceration to release 10 million passwords.   He felt it would be helpful to the security community to release all of these passwords along with the usernames associated with them for the advancement of password research.  The reason he was worried, and rightly so, was because of what happened to Barrett Brown.

In 2012 Brown was arrested, not for stealing passwords or even committing a legally actionable crime, but for linking to a data dump that was publically available.  Granted, this dump was full of tens of thousands of stolen passwords that Anonymous had posted on the web, but they were publically available.  Regardless of the fact that Brown was a journalist and not a criminal, the FBI arrested and prosecuted him.  He was eventually sentenced to 63 months in jail and an $890,000 fine (according to this EFF article).  Brown is still incarcerated at the time of this writing, though there is a large movement lobbying for his release.

This alarming precedent has frightened countless journalists and security researchers into avoiding writing about hacks or linking to data and has made them concerned for their own freedom.  Because of this, Burnett felt it was necessary to preface his release with a lengthy explanation as to why the FBI should not arrest him.  In my opinion, it is a disturbing day when researchers and journalists are afraid to be arrested for doing their jobs.

As has been leaked on sites, such as this document on leaksource.info, and talked about by EFF and the ACLU, government watch lists do not differentiate the bad guys from the good guys.   I assume that I am on at least a couple of these lists for researching hacking techniques, reading sites like leaksource.info and wikileaks, and other perfectly legal activities I have participated in.  I am particularly careful not to do anything illegal because I have a family and a job that I would like to keep.  I don’t have any need or reason to break the law.  In the security community, in order to do our jobs, we have to study and know what the bad guys are doing.  This means we have to go to sites that are specifically watched by the government.  It means we read publications that trigger watch list entries.  Even having used TOR will put you on their lists.

I am glad there are still researchers and journalists out there who will release and report on these topics or we would be far behind the bad actors out there.  I will continue to pursue my research, as part of my academic career, my job, and because it interests me.  If that means some bored analyst in a huge government building is reading everything I write then I hope he was amused by the Hamlet parody quote last week (courtesy of my wife) and I wish him a Happy Valentine’s Day.

So, don’t give in to scare tactics that frighten you into neglecting to do the research vital to maintaining your status in the field.   Keep up the good fight.  If it means we have to be on the same lists as the bad guys to stay aware of their trends and tactics, I am fine with that.  If it means that we have to be in the same prisons as them….well, then we really have a problem.  Given the importance of advancing the research in the field of information security, it is imperative that we enact legal protections for those of us who are engaged in the battle to stay ahead of attackers by monitoring and discussing their tactics in a forum of our peers.  The legal system must make it a priority to establish laws regarding the fair and legal use of available resources to further the knowledge of security professionals and researchers.  It cannot continue to prevent valuable research from being performed by setting legal precedent without reference to the rights of free speech for the press or the rights of professionals in the field to use reasonable efforts to attain information vital to the protection of private information.

February 6

To Certify or, Not to Certify

That is the question.  Whether ‘tis nobler in spirit to suffer the slings and arrows of being stuck in an administrative capacity  or to take up arms against a sea of job postings requiring proof of your knowledge and, by earning certifications, get them.

Let’s discuss certifications.  Which ones are worthwhile?  Which of them are hardest? Are any of them going to you help get a better job?  Most importantly, which require you to gain the most practical knowledge to pass (therefore benefitting you most in the long run by enhancing your knowledge base of useable techniques)?

The unfortunate truth is that certifications are big business.  However, most companies will pay IT professionals more if they have a few.  Depending on your area of expertise or the job you are shooting for, there are various paths that you can choose to take.  Since my focus is security and, more specifically, offensive security, this is the area on which I have focused in this blog post.

About 8 years ago I got lucky and was put into a position in the Army that eventually moved beyond its initial scope of administration into the field of IT security.  I was given a chance to be the Security Officer for a battalion, which led me to the decision to pursue a career in that field.  Up to that point I had been the network, system, server, and security administrator for the unit but had not yet been able to spend my time focusing on security.  I had earned only the CompTia Network+ certification which was required to have a domain admin account.  It was time for me to pick a certification path, and I chose to begin gathering the certifications necessary to advance my career in penetration testing.

The next logical certification for me to pursue at that time was the Security+, also offered by CompTia.  This is definitely a beginner cert that mostly requires learning enough to pass a 100 question test, but it was a great introduction into the field.  After this certification was complete I had gained enough knowledge about the sector to be able seriously consider the next steps in my path. I can say with certainty that there is no hard and fast route take, as there are a variety of options available.  However, these are the steps I took which seemed to best support my goals.

Since Penetration Tester was my ultimate goal I next sought the Certified Ethical Hacker (C|EH) from EC Council.  This too is a multiple choice type test that required me to learn some of the basic techniques of penetration testing in order to pass.  After this it was logical to pursue the Licensed Penetration Tester (L|PT) certification, also from EC Council.  In order to earn the L|PT you must first take and pass the EC Council Certified Security Analyst (E|CSA) exam.  The L|PT is a multiple choice exam as well that is essentially an extension of the C|EH and required a minimal amount of studying to enhance what I had learned for the C|EH.  To pass the L|PT you must take a practical exam requiring that you perform a full scale penetration test on a virtual system provided to you by EC Council and write a full report.  You have one week to complete the report and submit it.  This exam greatly helps aspiring penetration testers for the real job which requires frequent technical writing in this same vein.

As it stands, these are the certifications that I currently hold, but I do have two “in the wings” for which I have vouchers.  One is the eLearnSecurity Certified Professional Penetration Tester (ECPPT) which is similar to the L|PT in that it requires the use of penetration testing skills in a practical exam.  The first part of the exam is an actual pen testing exercise on a virtual network provided by eLearnSecurity.  The second half of the test, like the L|PT, requires that you submit a penetration test report to the examiners and with a pass or fail given based on your finding and reporting skills.

The other exam I am taking in the next couple of months is the Certified Information Systems Security Professional (CISSP).  This is a certification that I have seen required on a number job postings.  While it is not penetration testing specific, it is well respected and known as a tough test that winnows out the less knowledgeable.  This exam is likely to be most strenuous I have ever studied for and is known for being brutal.  When taking the exam you are given 250 multiple choice exam questions to be answered within a 6 hour timeframe.

A few other certifications that are on my target list and that some of my colleagues hold are listed here.  SANS has a plethora of useful certifications available through its Global Information Assurance Certification (GIAC) program.  Some of the more sought after are:  GIAC Assessing and Auditing Wireless Networks (GAWN), GIAC Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), GIAC Web Application Penetration Tester (GWAP). Finally, one of the most well regarded of the various “practical” exams is the Offensive Security Certified Professional (OSCP). This one is highly respected because Offensive Security is the organization that produces the Kali Linux distribution.

My path through certification has helped my career immeasurably.  With every certification, I have been able to take professional steps that have brought me closer to my ultimate goal.  The value of carefully chosen certifications cannot be stressed enough, and it should be noted that many companies are happy to help support employee education by underwriting part or all of the costs for getting and maintaining them.  The choices I have made with regards to gathering certifications have greatly influenced my career, leading me to my current position as a Penetration Tester for a major financial services firm.  I have no doubt that these next certifications will yield more opportunities for professional growth.