Monday, June 25, 2018

2018-022-preventing_insider_threat


After the recent Tesla insider threat event, BrakeSec decided to discuss some of the indicators of insider threat, what can be done to mitigate it, and why it happens.

 

news stories referenced:

https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/

 

https://www.scmagazine.com/tesla-hit-by-insider-saboteur-who-changed-code-exfiltrated-data/article/774472/

 

https://en.wikipedia.org/wiki/Insider_threat

 

https://en.wikipedia.org/wiki/Insider_threat_management

 

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, June 19, 2018

2018-021-TLS 1.3 discussion, Area41 report, wireshark goodness


Area41 Zurich report

Book Club - 4th Tuesday of the month

https://www.owasp.org/images/d/d3/TLS_v1.3_Overview_OWASP_Final.pdf

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

TLS_DHE_RSA_AES_256_GCM_SHA256

 

TLS = Protocol

DHE = Diffie-Hellman ephemeral (provides Perfect Forward Secrecy)

    Perfect Forward Secrecy = session keys won’t be compromised, even if server private keys are

Past messages and data cannot be retrieved or decrypted (https://en.wikipedia.org/wiki/Forward_secrecy)

 

RSA = Digital Signature (authentication)

    There are only 2 (RSA, or ECDSA)

 

AES_256_GCM - HMAC (hashed message authentication code)

 

https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

https://en.wikipedia.org/wiki/HMAC#Definition_.28from_RFC_2104.29

 

https://en.wikipedia.org/wiki/Funicular

 

https://mozilla.github.io/server-side-tls/ssl-config-generator/?hsts=no

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, June 12, 2018

2018-020: NIST's new password reqs, Ms. Berlin talks about ShowMeCon, Pwned Passwords


https://nostarch.com/packetanalysis3  -- Excellent Book! You must buy it.

 

DetSEC mention

 

ShowMe Con panel and keynote

 

SeaSec East standing room only. Crispin gave a great toalk about running as Standard user

 

Bsides Cleveland -

 

https://www.passwordping.com/surprising-new-password-guidelines-nist/

1Password version 7.1 integrates with Troy Hunt's "Pwned Passwords" service to check for passwords that suck

https://twitter.com/troyhunt/status/1006266985808875521

https://1password.com/sign-up/

https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/

 

1,300 complaints of GDPR breaches in the first 6 days of enablement:

https://iapp.org/news/a/irish-dpc-received-1300-complaints-since-gdpr-implementation-date/



https://www.pcisecuritystandards.org/about_us/leadership





Here is a new episode of Brakeing Down Security Podcast!

Tuesday, June 5, 2018

2018-019-50 good ways to protect your network, brakesec summer reading program


Ms. Berlin’s mega tweet on protecting your network

 

https://twitter.com/InfoSystir/status/1000109571598364672

 

Utica College CYB617

    I tweeted “utica university” many pardons

 

Mr. Childress’ high school class

Laurens, South Carolina

 

Probably spent as much as a daily coffee at Starbucks… makes all the difference.

 

CTF Club, and book club (summer reading series)

 

Patreon

SeaSec East

 

Showmecon

Area41con

bsidescleveland



Here are 50 FREE things you can do to improve the security of most environments:

 

Segmentation/Networking:

Access control lists are your friend (deny all first)

Disable ports that are unused, & setup port security

DMZ behind separate firewall

Egress Filtering (should be just as strict as Ingress)

Geoblocking

Segment with Vlans

Restrict access to backups

Role based servers only! DNS servers/DCs are just that

Network device backups



Windows:

AD delegation of rights

Best practice GPO (NIST GPO templates)

Disable LLMNR/NetBios

EMET (when OSes prior to 10 are present)

Get rid of open shares

MSBSA

WSUS

** run as a standard user ** no ‘localadmin’




Endpoints:

App Whitelisting

Block browsing from servers. Not all machines need internet access

Change ilo settings/passwords

Use Bitlocker/encryption

Patch *nix boxes

Remove unneeded software

Upgrade firmware



MFA/Auth:

Diff. local admin passwords (LAPS) https://www.microsoft.com/en-us/download/details.aspx?id=46899

Setup centralized logins for network devices. Use TACACS+ or radius

Least privileges EVERYWHERE

Separation of rights - Domain Admin use should be sparse & audited



Logging Monitoring:

Force advanced file auditing (ransomware detection)

Log successful and unsuccessful logins - Windows/Linux logging cheatsheets



Web:

Fail2ban

For the love of god implement TLS 1.2/3

URLscan

Ensure web logins use HTTPS

Mod security

 

Other:

Block Dns zone transfers

Close open mail relays

Disable telnet & other insecure protocols or alert on use

DNS servers should not be openly recursive

Don't forget your printers (saved creds aren't good)

Locate and destroy plain text passwords

No open wi-fi, use WPA2 + AES

Password safes



IR:

Incident Response drills

Incident Response Runbook & Bugout bag

Incident Response tabletops

 

Purple Team:

Internal & OSINT honeypots

User Education exercises

MITRE ATT&CK Matrix is your friend

Vulnerability Scanner

 

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!