February 13

On the Frontlines with No Armor

Security professionals and researchers operate in a no man’s land between ethical websites and their shadier counterparts.  In the dark alleys and back streets of the internet we are able to discover the tactics and trends that are informing the actions of the attackers we spend our days combating.  But what if the very act of gathering intelligence for this battle were considered a crime by those you were trying to protect?  Unfortunately, it is.  Simply by doing the necessary research to competently perform your job, you risk being placed on a variety of government lists of potentially dangerous persons.  Sometimes you may risk more than that.  Events over the last few years have proven that the chances you will be arrested for doing your job are higher than we might like to think about.

This week there has been some controversy on the web regarding passwords.  Despite this sudden spike in conversation on the topic, passwords have actually been a point of contention in the IT Security community for some time.  The current controversy spawned from the actions of a security researcher by the name of Mark Burnett who writes a blog on Xato.com.  Burnett risked incarceration to release 10 million passwords.   He felt it would be helpful to the security community to release all of these passwords along with the usernames associated with them for the advancement of password research.  The reason he was worried, and rightly so, was because of what happened to Barrett Brown.

In 2012 Brown was arrested, not for stealing passwords or even committing a legally actionable crime, but for linking to a data dump that was publically available.  Granted, this dump was full of tens of thousands of stolen passwords that Anonymous had posted on the web, but they were publically available.  Regardless of the fact that Brown was a journalist and not a criminal, the FBI arrested and prosecuted him.  He was eventually sentenced to 63 months in jail and an $890,000 fine (according to this EFF article).  Brown is still incarcerated at the time of this writing, though there is a large movement lobbying for his release.

This alarming precedent has frightened countless journalists and security researchers into avoiding writing about hacks or linking to data and has made them concerned for their own freedom.  Because of this, Burnett felt it was necessary to preface his release with a lengthy explanation as to why the FBI should not arrest him.  In my opinion, it is a disturbing day when researchers and journalists are afraid to be arrested for doing their jobs.

As has been leaked on sites, such as this document on leaksource.info, and talked about by EFF and the ACLU, government watch lists do not differentiate the bad guys from the good guys.   I assume that I am on at least a couple of these lists for researching hacking techniques, reading sites like leaksource.info and wikileaks, and other perfectly legal activities I have participated in.  I am particularly careful not to do anything illegal because I have a family and a job that I would like to keep.  I don’t have any need or reason to break the law.  In the security community, in order to do our jobs, we have to study and know what the bad guys are doing.  This means we have to go to sites that are specifically watched by the government.  It means we read publications that trigger watch list entries.  Even having used TOR will put you on their lists.

I am glad there are still researchers and journalists out there who will release and report on these topics or we would be far behind the bad actors out there.  I will continue to pursue my research, as part of my academic career, my job, and because it interests me.  If that means some bored analyst in a huge government building is reading everything I write then I hope he was amused by the Hamlet parody quote last week (courtesy of my wife) and I wish him a Happy Valentine’s Day.

So, don’t give in to scare tactics that frighten you into neglecting to do the research vital to maintaining your status in the field.   Keep up the good fight.  If it means we have to be on the same lists as the bad guys to stay aware of their trends and tactics, I am fine with that.  If it means that we have to be in the same prisons as them….well, then we really have a problem.  Given the importance of advancing the research in the field of information security, it is imperative that we enact legal protections for those of us who are engaged in the battle to stay ahead of attackers by monitoring and discussing their tactics in a forum of our peers.  The legal system must make it a priority to establish laws regarding the fair and legal use of available resources to further the knowledge of security professionals and researchers.  It cannot continue to prevent valuable research from being performed by setting legal precedent without reference to the rights of free speech for the press or the rights of professionals in the field to use reasonable efforts to attain information vital to the protection of private information.

February 6

To Certify or, Not to Certify

That is the question.  Whether ‘tis nobler in spirit to suffer the slings and arrows of being stuck in an administrative capacity  or to take up arms against a sea of job postings requiring proof of your knowledge and, by earning certifications, get them.

Let’s discuss certifications.  Which ones are worthwhile?  Which of them are hardest? Are any of them going to you help get a better job?  Most importantly, which require you to gain the most practical knowledge to pass (therefore benefitting you most in the long run by enhancing your knowledge base of useable techniques)?

The unfortunate truth is that certifications are big business.  However, most companies will pay IT professionals more if they have a few.  Depending on your area of expertise or the job you are shooting for, there are various paths that you can choose to take.  Since my focus is security and, more specifically, offensive security, this is the area on which I have focused in this blog post.

About 8 years ago I got lucky and was put into a position in the Army that eventually moved beyond its initial scope of administration into the field of IT security.  I was given a chance to be the Security Officer for a battalion, which led me to the decision to pursue a career in that field.  Up to that point I had been the network, system, server, and security administrator for the unit but had not yet been able to spend my time focusing on security.  I had earned only the CompTia Network+ certification which was required to have a domain admin account.  It was time for me to pick a certification path, and I chose to begin gathering the certifications necessary to advance my career in penetration testing.

The next logical certification for me to pursue at that time was the Security+, also offered by CompTia.  This is definitely a beginner cert that mostly requires learning enough to pass a 100 question test, but it was a great introduction into the field.  After this certification was complete I had gained enough knowledge about the sector to be able seriously consider the next steps in my path. I can say with certainty that there is no hard and fast route take, as there are a variety of options available.  However, these are the steps I took which seemed to best support my goals.

Since Penetration Tester was my ultimate goal I next sought the Certified Ethical Hacker (C|EH) from EC Council.  This too is a multiple choice type test that required me to learn some of the basic techniques of penetration testing in order to pass.  After this it was logical to pursue the Licensed Penetration Tester (L|PT) certification, also from EC Council.  In order to earn the L|PT you must first take and pass the EC Council Certified Security Analyst (E|CSA) exam.  The L|PT is a multiple choice exam as well that is essentially an extension of the C|EH and required a minimal amount of studying to enhance what I had learned for the C|EH.  To pass the L|PT you must take a practical exam requiring that you perform a full scale penetration test on a virtual system provided to you by EC Council and write a full report.  You have one week to complete the report and submit it.  This exam greatly helps aspiring penetration testers for the real job which requires frequent technical writing in this same vein.

As it stands, these are the certifications that I currently hold, but I do have two “in the wings” for which I have vouchers.  One is the eLearnSecurity Certified Professional Penetration Tester (ECPPT) which is similar to the L|PT in that it requires the use of penetration testing skills in a practical exam.  The first part of the exam is an actual pen testing exercise on a virtual network provided by eLearnSecurity.  The second half of the test, like the L|PT, requires that you submit a penetration test report to the examiners and with a pass or fail given based on your finding and reporting skills.

The other exam I am taking in the next couple of months is the Certified Information Systems Security Professional (CISSP).  This is a certification that I have seen required on a number job postings.  While it is not penetration testing specific, it is well respected and known as a tough test that winnows out the less knowledgeable.  This exam is likely to be most strenuous I have ever studied for and is known for being brutal.  When taking the exam you are given 250 multiple choice exam questions to be answered within a 6 hour timeframe.

A few other certifications that are on my target list and that some of my colleagues hold are listed here.  SANS has a plethora of useful certifications available through its Global Information Assurance Certification (GIAC) program.  Some of the more sought after are:  GIAC Assessing and Auditing Wireless Networks (GAWN), GIAC Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), GIAC Web Application Penetration Tester (GWAP). Finally, one of the most well regarded of the various “practical” exams is the Offensive Security Certified Professional (OSCP). This one is highly respected because Offensive Security is the organization that produces the Kali Linux distribution.

My path through certification has helped my career immeasurably.  With every certification, I have been able to take professional steps that have brought me closer to my ultimate goal.  The value of carefully chosen certifications cannot be stressed enough, and it should be noted that many companies are happy to help support employee education by underwriting part or all of the costs for getting and maintaining them.  The choices I have made with regards to gathering certifications have greatly influenced my career, leading me to my current position as a Penetration Tester for a major financial services firm.  I have no doubt that these next certifications will yield more opportunities for professional growth.

January 31

From Defcon to Schmoocon: Where Will Your Travels Take You?

As the first month of the year comes to a close it is time for those of us in the IT Security field to decide what we will do to fulfill our CPEs for the certifications we hold.   This is exciting because it means that it is time to start considering which conferences you plan to attend this year.  It’s not too early to start planning, since getting time off and applying for possible company reimbursement can take time and need to be planned well in advance.

If you were planning on going to SchmooCon, it is too late since that just happened last month.  However, there are plenty of others coming down the pipe.  The conference likely to be most noted, most well-attended, and potentially most fun this year, as every year, is Defcon.  Defcon was a blast last year when it marked twenty-two years since its inception, a fact that makes me and many hackers feel old.  Last year was also the final year for this conference to be held at the famed Rio Hotel and Casino, a blessing in disguise as it has clearly outgrown the facility.  This year and, according to the website (https://www.defcon.org), for several years to come, the conference will be hosted by both The Paris and Bally’s Casino and Hotel, right there on the luxurious Las Vegas strip. These double locations should provide the conference with ample space to serve attendee needs.  If you can only go to one conference this year I would recommend Defcon.  Tickets cannot be purchased in advance but were only $220 cash at the door last year.  You can, however, book your room with a special discount as of this week.  If you want to stay at Bally’s or Paris and be right in the thick of it, it would behoove you to book your room now.

There are plenty of other conferences that happen later this year.  Just before DefCon is Blackhat (https://www.blackhat.com), which is very expensive.  Therefore, many people only go if their employer foots the bill.  If they will pay I recommend this conference as it has many interesting talks and is a bit more professional and organized than Defcon has been in the past.  This does not necessarily mean it is more fun, but if you are able to get company cost coverage why not spend an entire week in Vegas and attend both conferences?  There is also the B-Sides Las Vegas Conference (http://www.securitybsides.com/w/page/12194156/FrontPage), which takes place just before Blackhat.  You could easily spend a week and a half in Vegas attending these three conferences.  B-Sides also has a plethora of other conferences all over the US and Europe, these are listed on their website.

DerbyCon (https://www.derbycon.com/) takes place this September (according to the website tickets may already be sold out).  There are several good conferences that take place in Europe as well.  In Amsterdam there is the Hack-in-the-Box (http://www.hitb.org/) conference that has not been officially announced yet but often has some really great speakers, and the fact that it is in Amsterdam is a bonus.  One last conference that has been popular in the past and as I have been told by some that have attended is a very fun experience is the Chaos Computer Club (CCC) Congress (http://www.ccc.de/en/). This takes place in Koln (Cologne, for Americans) Germany and is one of the things on my bucket list.

The conferences I have mentioned are not even the tip of the iceberg, there are hundreds of choices all over the world.  There may even be one in your local area that does not necessitate travel and an expense account.  This site (http://www.concise-courses.com/security/conferences-of-2015/) has a fairly comprehensive listing of conferences. There are different conferences that cater to professionals of every specialty.  Take a look at the list, decide where you want to go this year, and start making your plans.  If you are looking to get your company to send you it would be a good idea to start asking now.   We all know how slow corporate bureaucracy can be, better start those wheels turning now so you don’t miss the boat.

January 24

Hacking Without Breaking the Law

After four years in a university exploring the academic side of offensive security, I have come to realize that no amount of theoretical knowledge can be considered a substitute for real world, practical experience.  I have had the undeniable advantage of working in the field for a number of years gaining a considerable amount of such experience, but the most useful practice I have gotten has been from another source altogether.  Best of all, this experience was both free and legal.

Most of the tools that professional offensive security practitioners use are free, and the majority of the most popular ones come in a free Linux distribution called Kali Linux (https://www.kali.org/downloads/).  Armed with a virtualization client, such as the free VirtualBox (https://www.virtualbox.org/) and some spare time to explore, there is a lot of practice available.

If you are just getting started, there are hundreds of options out there.  All of them will help aspiring offensive security practitioners, penetration testers, and hackers improve their skills.  A great tool to start with is provided by Rapid7, the owners of Metasploit, (arguably one of the greatest hacking tools in existence).  This tool is designed specifically to teach beginners how to perform a plethora of hacking exercises using Metasploit.  The Metasploitable 2 VM can be downloaded from https://information.rapid7.com/metasploitable-download.html.  Metasploit itself can be downloaded from the same site but is included as part of the Kali Linux distribution.

A couple of weeks ago I decided to undertake the “Brainpan 2” hackable VM challenge.  This is one of many virtual machines that are out there to help offensive security professionals and enthusiasts to hone their skills and get practical experience in a lab environment.  In general it was an educational system to work with.  It was enjoyable to hack into and challenging to find ways around the security.  This is more of an intermediate VM.  If you are interested in giving it a shot yourself you can access it and a ton of other great vulnerable VMs here: https://www.vulnhub.com/.  Vulnhub.com offers new VMs on a regular basis ranging in difficulty from beginner to expert.  Some even offer prizes for solving them first or in a new and interesting way.

Further hacking experiments are available elsewhere.  If you prefer not to install VMs, just install Kali Linux (available at https://www.kali.org/downloads/). Then, go to one of a large selection of websites that were designed to be hacked.  These websites are created for just this purpose, so there is no concern about the legality of honing your hacking skills by attempting to break in.  For example, check out https://www.hackthissite.org/ where there is a series of increasingly difficult challenges that teach practical web application hacking.

In short, there is no limit to the opportunities to practice hacking.  Anyone, as long as they have a computer and some time, can use them to their advantage.  If you Google “hack this site” there are over 45 million results and vulnhon.com has hundreds of VMs.  I have been working on these steadily for about six years and am not halfway through all the choices.  However, if you do happen to work through all of these, there are even more VMs on GitHub and a plethora of paid services that provide virtual networks, as well.  So if you are looking to learn how to hack there is no need to spend money or break the law.  Just install some free software and start hacking!

January 19

Think. Pause. Post.

Nye_Not Anonymous Poster

I have these two security awareness posters that I made last week and I thought they deserved to be shared with the world.  The one with the Anonymous logo is in response to a problem that I have seen getting worse and worse and some awareness is in order.  I am posting these with something like a GNU license, they are free to use and post where you wish, just please give credit where credit is due.  If anyone would like the Microsoft Publisher version for better quality, to make changes or just because feel free to shoot me an email (john.r.nye [at] gmail [dot] com), message me on the various social media I am member of or even leave a comment here on my blog.

Nye_Free Wifi Poster

 

January 18

Wetware Security and Compliance

Security Awareness Training, User Education, Information Assurance: all of these are words that many of us don’t like to hear.  Presentations, public speaking, and teaching are concepts that fill us with dread.  These words, in and of themselves, are not terrible or scary.  It is the connotations that have arisen around them over the last decade or more that frighten us.  It is widely accepted and constantly pointed out that the weakest link in any information system regardless of size, complexity or value is the wetware. Wetware is a word that many IT professionals and especially security professionals love to use to describe the people that use the systems they implement, design or protect.

I am still a firm believer that the first person or company that comes up with a truly revolutionary way to deal with this problem, short of Bender from Futurama’s answer, “Kill all humans,” will be the next Google or Microsoft.  The information security industry has been fighting for years to come up with a good method of training users and protecting their systems from the mistakes that people make.  Unfortunately for all the users that have been subjected to these attempts, and those who developed them, they don’t work that well.

A good place to start in fixing this problem is an examination of why these techniques don’t work.  First, I want to be completely clear.  I am not saying that the methods being spoken of have no impact at all.  I am sure than many, if not all, can be shown to reduce breaches through the human element in some statistical manner.  What I am saying is that, regardless of the training, compliance and technical controls that are put in place, wetware is still by far the least secure part of any information system.

These programs are often developed by security professionals.  As a group, these professionals tend to have trouble explaining the technical aspects of their jobs to the non-technical users.  This lack of effective communication prevents users from fully understanding the importance of what the programs are trying to accomplish and what they will gain out of paying attention.  Another reason that much of this education and training fails is because the typical users, at least the vast majority, don’t particularly care about security or technical details.  They just want to get their job done so they can do whatever it is they do when they are not at work.

While the above list of problems is far from comprehensive, it is a starting point for a much-needed conversation among security professionals attempting to surmount these obstacles in the workplace.  Maybe we, as security professionals, should consider the benefits of working with professional educators, professional presenters, professional performers, and others of that ilk, to develop training and presentations that are accessible, entertaining, and relevant to users by addressing concerns about presenter comprehensibility, effectiveness, and audience awareness.  Then we would be more able to address their personal concerns by showing how they can protect their own money, families, data and anything else they may actually care about.  If we can create training programs that serve as an overall catalyst to user interest in security procedures on a personal level, that may be enough to carry over into the workplace.

The human element is always the most penetrable part of any system, but it is up to us as security professionals to shore up our weakest points as best we can.  I hope this post goes some way towards provoking discussion about the measures best suited to bridging the gap between “that annoying IT guy who keeps asking me to retrain on security compliance” and the users who need this training to protect themselves and company information.

January 11

Policing Policy

This week in one of my classes we have been discussing policies and policy development.  This is a topic that none of us in IT love to discuss let alone engage in as participants in development.  This is the trend as I have seen it.  Policies may not be fun, but anyone in IT will tell you that if they are well written and executed properly then they are one of the more powerful tools in available to us as security professionals.

I spent some time in Internal Audit as an IT Security Auditor.  During this time every single audit I was part of started in the same way.  We would gather all organizational policies related to the department, function, or system that was to be reviewed.  Then we would search for the industry best practices, sample policies, and compliance standards that were similar.  We would then compare the internal document to the best practices documentation.  Inevitably, the standards and the best practices documentation would match up incredibly well.  Every audit I worked on was well written, thorough, and surprisingly similar to what we found on the SANS website, SOX compliance or some other applicable best practice.

The problem in almost every case came after this part.  Just having a really good policy does not equate to a passing audit.  In fact, those that had the most picture perfect polices tended to fare the worst when we began to investigate their practices.  I, like many probably do, find that the best practices and example policies are useful resources.  Unfortunately, a good policy needs to go beyond best practices and instead reflect the actual practices.  The poor auditees in these cases would have fared a lot better to have a policy that was not exactly up to industry standards, but instead matches the real-life practices that were.  (The poor auditees in these cases would have done better to align their policies with and planning processes with a realistic assessment of their current status, rather than attempting to engage in policies that are considered appropriate for organizations or departments operating at top efficiency.)

I am not saying that policies are a bad thing, I think they are one of the best, and least costly, tools that IT and executives have at their disposal to protect their organizations.  I am saying that these tools need to be forged for the use they were intended.  SANS has some great policies templates, and compliance is not something that we really have a choice about.  However, polices need to be developed for the organization and purpose for which they were created, not to have a pretty document that could never actually be put into action.  Instead follow best practices for policies, start where you are and review and update polices to work your way incrementally toward best practices.

January 4

Leader of the Pack or Chasing Your Own Tail?

I have been thinking for two weeks about what to cover in this first post of 2015.  I have read dozens of other blogs and articles online that talk about the problems organizations have had in 2014, and the revelations regarding what law enforcement and other three letter agencies have been doing to our privacy.  There are several about the issues we in computer security can expect to face in the new year.  Rather than rehash the problems of the past or attempt to predict future trouble, I prefer to focus on positive changes I hope to see in the sector in the next year.

As we roll into 2015, which by the way is the year that Marty McFly time-traveled to in Back to the Future 2, we may not be dressing in what the 1980s writers and costume designers envisioned: a cross between cyberpunk and raver style.  However, one fact is unavoidable: the environment of the cyber security sector has changed as dramatically as those fashions, and we must keep up with the times.  It is time for those that work on the defensive side of security to stop thinking like law enforcement and start thinking a little more like the criminals do.  We have reached an age in which the layered security that was so important a few years ago is about as effective as a castle moat would have been during the Second World War.  Criminals are not concerned with how much money your organization has spent on fancy defenses or how much harm it will do to your organization to be breached.  They only care about what they stand to gain from stealing your data.

The future may not have been right but this is our past.The future may not have been right but this is our past.

The best detectives and profilers in law enforcement do not spend their days following regimented procedures.  They think outside the box and are not afraid to put themselves inside the minds of the criminals they are looking for.  I work in the offensive side of security where it is our job to think like the bad guys, but in big corporations we still find ourselves being stymied by outdated policies and obsolete ways of thinking.  I hope that 2015 will be the year that organizations that are serious about their security will be willing to let the security teams do what it takes to stop the bad actors.  It is time to stop drawing lines on what we are “allowed” to do and start letting us find the breach points before the bad guys.  It is time for us to be ahead of the game instead of spending our days, (and nights) playing catch-up.

In order to promote positive changes to the way cyber security teams function, organizations must be willing to allow a greater freedom for cyber security professionals to determine what tactics are necessary to prevent attacks.  These professionals should not be so heavily restricted in their actions that they are prevented from doing their jobs.  For example, penetration testers are frequently prevented from performing a DDOS attack.  Allowing security professionals to use this DDOS attack has the potential to lead to new methods of prevention or, at the least, will prepare the organization for the possibility of an eventual attack using this technique.  Social engineering is an often dismissed tactic, usually avoided because of the likelihood that an organization will fail to pass muster under such scrutiny.  This technique is arguably the most common method of entry used in almost every breach by criminals attempting to gain access to an organization’s data.  Failure to address this area is a failure to give sufficient weight to the necessity for strong cyber security procedures.  Cyber security professionals should be given the freedom to use these and other such techniques to really test the strength of their organization’s security,

December 10

Planning for Failure

This week in my Information Security Management class we discussed planning for security.  Of course the discussion in the course was about planning for success.  Unfortunately, a lot of the real world discussions I’ve had and articles I have read this week have shown more clearly how people and corporations are failing because of their planning.  I am sure they are not planning to fail, but their actions and poor planning skills have been leading to their demise.

My interest in this issue was piqued while reading about the recent problems that Sony Pictures Entertainment (SPE) is facing.  Their difficulties stem from corporate planning.  Unfortunately for them the planning was of the wrong kind.  In an effort to reallocate company resources, many articles claim that they were on a mission to save money by cutting staff.  This money saving planning extended to their IT compliance and security department.  They did everything they could to save money and cut corners, including having a policy of “just enough compliance.”  This resulted in a breach of SPE’s privately identifiable information (PII) at an estimated damage rate of upwards of 47,000 employee records.

In addition to budget cuts to their IT Security programs they laid off a number of employees in the last year.  Sony is not alone in this practice.  There is an epidemic in the corporate world of layoffs, benefit cuts, and even employee demotions.  This, in addition to the cutting of the IT Security budgets, has created a perfect storm, and I think SPE is just the first of many victims.  Due to the nature of this breach it is fairly evident that there was help from a trusted insider.  Some estimates are saying that this breach will cost SPE over $100 million, and that is not counting the personal cost to employees whose information was captured.  Had SPE focused on maintaining a functioning IT Security department, this breach could have been avoided entirely, saving the company far more than the money they will lose because of this attack.  Proper planning could have saved them their reputation.

It is time to stop planning for the right now and start planning strategically for the future.  It is time to focus less on the bottom line and more on preemptive planning to maintain a secure front and protect the information that is the lifeblood of any company.

December 2

Embrace the Oxymorons

Let’s talk about oxymorons, those annoying little things they keep trying to teach in network security and computer security and, well …. Cybersecurity.  I have a Bachelor’s in cybersecurity, am working toward my Master’s, and I have been officially (as in professionally) working in the field for just under 8 years.  Before that I had been into the dark arts (computer hacking) since I was 11 or 12, right about when the internet appeared, so that is about 23 years give or take, that I have been in some form or fashion involved in cybersecurity.

That paragraph was not to toot my own horn, I have plenty to learn, cyber security is such a constantly changing and large field, for example in all that time I did not REALLY understand false positives, and true negatives etc. until the last few years.  Learning the concept is relatively easy and logically they all make sense a false positive is an alarm that goes off for the wrong reason. A true positive is a proper alarm that went off for the right purpose.  A false negative is the bad guy getting through because the alarms think that he is perfectly acceptable. And finally true positives are what happen when the defenses actually catch the bad guy and sound the alarm.

Regardless of how annoying and, well, kind of ridiculous these things sound, someday (if you really go into security) they will be something you care about.  They are important to me in my current job as an offensive security professional because I want to get past the alarms.  They were important to me as a defensive security professional because I wanted to alarm to catch the bad actors.  And someday, maybe right now, they will matter to you too.  So, embrace the oxymorons.

Thank you for reading, check back next week for more.

 

John Nye