Wednesday, June 24, 2020

2020-024-Bit of news, Ripple20 vulns, IoT Security, windows error codes, captchas used for evil, Marine Momma


https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/

 

https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4657

https://www.blumira.com/logmira-windows-logging-policies-for-better-threat-detection/

 

How would we map this against the MITRE matrix?

Are there any MITRE attack types that are so similar that one attack can be two different things in the matrix?

 

https://www.us-cert.gov/ics/advisories/icsa-20-168-01

https://www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come/

 

https://www.tenable.com/blog/cve-2020-11896-cve-2020-11897-cve-2020-11901-ripple20-zero-day-vulnerabilities-in-treck-tcpip



https://arstechnica.com/information-technology/2020/06/to-evade-detection-hackers-are-requiring-targets-to-complete-captchas/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, June 17, 2020

2020-023-James Nelson from Illumio, cyber resilence, business continuity


James Nelson, VP of Infosec, Illumio

How has COVID-19 changed cybersecurity? Why is cyber resilience especially important now? What are the most important steps to ensure cyber-resiliency? How do you talk to business leaders about investing in cybersecurity to boost resiliency?

The best way for organizations to keep their ‘crown jewels’ secure is adopting a Zero Trust mindset. Organizations need to take advantage of adaptive security infrastructure that can scale to meet current and future organizational needs, and take steps to ensure even third-party hosted data is policy compliant.

Most CISOs don’t talk to the board all the time so they don’t understand that’s the conversation they want to have. By making sure that the security team’s spokesperson has an intelligent plan that shows how wrong things could go. Showing how money is directly connected to mitigating the risks is vital to getting the funding needed, and showing why an increase in spend coordinates with decrease of risk.

Cyber-Resilence-

https://en.wikipedia.org/wiki/Cyber_resilience

 

https://en.wikipedia.org/wiki/Business_continuity_planning#Resilience

 

https://www.darkreading.com/cloud/cyber-resiliency-cloud-and-the-evolving-role-of-the-firewall/a/d-id/1337206

Doug Barth and Evan Gilman - https://brakeingsecurity.com/2017-017-zero_trust_networking_with_doug_barth

part1 with Masha Sedova: https://traffic.libsyn.com/secure/brakeingsecurity/Masha_sedova-elevate_security-profiled-education-phishing-part1.mp3

Part2: https://traffic.libsyn.com/secure/brakeingsecurity/2020-019-masha_sedova-privacy-human_behavior-phishing-customized_training.mp3

https://www.helpnetsecurity.com/2017/08/24/assume-breach-world/

Key concepts:

Visibility into your environment

Controls necessary to repel attackers

Architecture of the network to create chokepoints (east/west, north/south isolation)

Threat modeling and regular threat assessment

Mechanisms to allow for rapid response

How long will current security controls hold a determined attacker at bay?



Business-wide Risk Management response can often determine resiliency in a Crisis/Breach situation.

 

Cyber-Resilence Framework (per NIST https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final)



What does “cyber resiliency” mean in the to the organization? To the department? To the individual? and what of the mission or business process the system is intended to support?

Which cyber resiliency objectives are most important to a given stakeholder? 

To what degree can each cyber resiliency objective be achieved? 

How quickly and cost-effectively can each cyber resiliency objective be achieved? 

With what degree of confidence or trust can each cyber resiliency objective be achieved? 

 

(What do we as security people do to ensure that all of these are properly answered? --brbr)





Architecture of systems:

Depending on the age of our information systems and technology stacks, cruft builds up or one-off systems are setup and forgotten. 

We (infosec industry) talk about shifting security left in a DevOps environment to ensure security gets put in, but should we do as an organization when we think about adding systems in terms of cyber-resilience? (It would seem that resilience may also be tied to the security or functionality in a piece of hardware and software. Proper understanding of all the systems capabilities/settings/options would be essential for drafting responses --brbr)

 

Some related and tangential suggestions for ideas/comments/themes/topics in case you feel like any fit into the conversation:

 

  • Comparison of security to the human immune system.
  • Does resilience (i.e., assume breach) imply there are failures you can recover from, yet other, existential risks you need to avoid? And what does that mean in practice?
  • How do you define “most valuable assets”? Value vs. obligations vs. ...?
  • Does a compliance mindset help or hinder resilience, and vice versa?
  • Referring back to a prior show, how does the human element contribute to resilience?
  • NIST doc makes a point that resilience only has meaning when it works across a system, how does this idea impact the cost of entry? And is there a tipping point for resilience?
  • Another point made is that speed should be viewed as an advantage. Is there an application of the OODA loop concept to resilience, then?
  • Cyber resilience resonates in other areas: Pandemics, natural disasters, and geo-political stressors. Could impact supply chain workforce effectiveness, other areas. Ransomware (which is cyber, but has other, knock-on effects).

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 


Download here!

Wednesday, June 10, 2020

2020-022-Andrew Shikiar, FIDO Alliance, removing password from IoT, and discussing FIDO implementation


Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.

 

What is FIDO?

open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”

FIDO workflow

Did any one event precipitate creation of the FIDO alliance?



UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html

 

U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)

 

https://landing.google.com/advancedprotection/

 

FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess

 

FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/

 

IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  -- 

 

Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework

 

NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

 

https://fidoalliance.org/certification/authenticator-certification-levels/

 

https://github.com/herrjemand/awesome-webauthn

 

https://fidoalliance.org/content/case-study/

 

https://loginwithfido.com/provider/

 

From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?

Consumer education initiative https://loginwithfido.com/

 

IoT Devices- https://fidoalliance.org/internet-of-things/

https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/

 

For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN

https://github.com/herrjemand/awesome-webauthn



https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics

 

NTT DOCOMO introduces passwordless authentication for d ACCOUNT

 

https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev


Download here!

Monday, June 1, 2020

2020-021- Derek Rook, redteam tactics, blue/redteam comms, and detection of testing


**If Derek told you about us at SANS, send a DM to @brakeSec or email bds.podcast@gmail.com for an invite to our slack**

OSCP/HtB/VulnHub is a game... designed to have a tester find a specific nugget of information to pivot or gain access to greater power on the system. 

Far different in the 'real' world.

 

Privilege escalation in Windows:

*as of June 2020, many of these items still work, may not work completely in the future*

*even so, many of these may not work if other mitigating controls are in place*

 

PENTEST METHODOLOGY : 

PTES -http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines

OSSTMM - https://www.isecom.org/OSSTMM.3.pdf

 

Redteam methodology: https://www.synopsys.com/glossary/what-is-red-teaming.html

 

https://www.fuzzysecurity.com/tutorials/16.html

 

https://medium.com/@Shorty420/enumerating-ad-98e0821c4c78

 

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

 

Enumerate the machine

Services

Network connections

Users

Logins

Domains

Files

Software installed (putty, git, MSO, etc) *older software may install with improper permissions*

Service paths (along with users services are ran as)

Windows Features (WSL, SSH, etc)

Patch level (Build 1703, etc)

Wifi networks and passwords (netsh wlan show profile <SSID> key=clear)

Powershell history

Bash History (if WSL is used)

Incognito tokens

Stored credentials (cmdkey /list)

Powershell transcripts (search text files for "Windows PowerShell transcript start")

 

Context for above: Understand how the users make use of the system, and how they connect to other systems, follow those paths to find lateral movement, misconfigurations, etc. Each new system or user will provide further information to loot or avenues to explore

 

Linux EoP:
https://guif.re/linuxeop

 

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

 

Enumeration

Mostly the same as above

Bash history or profile files

           Writable scripts (tampering with paths or environment variables)

Setuid/Setgid binaries

Sticky bit directories

Crontabs

Email spools

World writable/readable files

.ssh config files (keys, active sessions)

Tmux/screen sessions

Application secrets (database files, web files with database connectivity, hard coded creds or keys, etc)

VPN profiles

GNOME keyrings- https://askubuntu.com/questions/96798/where-does-seahorse-gnome-keyring-store-its-keyrings

 

Ways to defend against those kinds of EoP.



Something cool: https://www.youtube.com/playlist?playnext=1&list=PLnxNbFdr_l6sO6vR6Vx8sAJZKpgKtWaGX&feature=gws_kp_artist  -- high Rollers

 

Derek is speaking at SANS SUMMIT happening on 04-05 June (FREE!) - https://www.sans.org/event/hackfest-ranges-summit-2020

 

Ms. Berlin is speaking at EDUCAUSE - VIRTUAL (04 June) https://www.educause.edu/




Download here!

Wednesday, May 27, 2020

2020-020-Andrew Shikiar - FIDO Alliance - making Cybersecurity more secure


 Andrew Shikiar, executive director and CMO of the (Fast IDentity Online) FIDO Alliance.

 

What is FIDO?

open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. FIDO addresses the lack of interoperability among strong authentication devices and reduces the problems users face creating and remembering multiple usernames and passwords.”

 

Did any one event precipitate creation of the FIDO alliance?



UAF= https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html

 

U2F = https://en.wikipedia.org/wiki/Universal_2nd_Factor (yubikeys, tokens)

 

https://landing.google.com/advancedprotection/

 

FIDO supports biometrics - https://www.biometricupdate.com/202002/how-fido-based-biometric-technology-clears-up-the-iot-authentication-mess

 

FIDO certified software and companies: https://fidoalliance.org/fido-certified-showcase/

 

IBM: https://www.ibm.com/blogs/sweeden/fido2-conformance-why-its-a-big-deal/  -- 

 

Digital Identity Guidelines: Authentication and Lifecycle Management - digital ID framework

 

NIST guidelines that FIDO meets: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

 

https://fidoalliance.org/certification/authenticator-certification-levels/

 

https://github.com/herrjemand/awesome-webauthn

 

https://fidoalliance.org/content/case-study/

 

https://loginwithfido.com/provider/



FIDO DataFlow

From a threat modeling perspective, how does ‘2fa’ occur when the authenticating method and the browser are on the same device?

 

Consumer education initiative https://loginwithfido.com/

 

IoT Devices- https://fidoalliance.org/internet-of-things/

https://blog.techdesign.com/fido-authentication-to-secure-iot-devices/

 

For Developers: https://fidoalliance.org/developers/   or https://webauthn.io/ - dev information about WebAuthN

https://github.com/herrjemand/awesome-webauthn



https://fidoalliance.org/events/ - upcoming webinars for FIDO related topics

 

NTT DOCOMO introduces passwordless authentication for d ACCOUNT

 

https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, May 13, 2020

2020-016-


Masha Sedova - Founder, Elevate Security

 

Topic ideas from the PR company:

 

  1. Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock phishing data as a sufficient way to measure this risk. But where do the vulnerabilities and strengths truly lie? 

 

The secret is, security teams have installed tons of security tooling that can give insights into how our employees are behaving. But we just leave this data on the cutting room floor. Masha Sedova can talk about where to find this goldmine of data and what security teams can do to leverage this new found knowledge. 

 

Technology like vuln scanners or something more?

 

 

 

 

  1. Study after study shows that the reason why people don’t do things is not always because they don’t understand, it’s because they are not motivated. Motivating employees to change their cybersecurity behavior can seem like an overwhelming task but there are simple behavioral science techniques cybersecurity professionals can leverage to motivate employees to do the right thing. Masha Sedova will discuss the power of integrating elements of behavioral science into security in order to influence positive behavior. 

 

 

Motivation Theory (deming): https://en.wikipedia.org/wiki/W._Edwards_Deming#Key_principles

 

X&Y  https://en.wikipedia.org/wiki/Theory_X_and_Theory_Y

 

Ouchi Z theory https://en.wikipedia.org/wiki/Theory_Z_of_Ouchi

 

http://www.yourarticlelibrary.com/motivation/motivation-theories-top-8-theories-of-motivation-explained/35377

 

Masha’s suggested topics: 

 

Why do security teams have difficulty in understanding their human risk today? What are the blockers? 



What should security teams be measuring to get a holistic view of human risk? 



What's the difference between security culture, security behavior change, and security awareness? 



Is security culture a core capability in security defense? Why or why not?  

 

Quantifying risk…

 

Is investing in human training a waste of time?

 

Phishing - mock phish or real phishing

Pull data to see who is clicking on links

Send an ‘intervention’

 

Gotta move away from training

The ‘security team’ will save them…

 

https://www.ncsc.gov.uk/guidance/phishing

 

Books:

 

https://www.amazon.com/Nudge-Improving-Decisions-Health-Happiness/dp/014311526X

 

https://www.amazon.com/Drive-Surprising-Truth-About-Motivates/dp/1594484805/ref=sr_1_1?crid=2QQ59YRRU89YX&dchild=1&keywords=drive+daniel+pink&qid=1588733551&s=books&sprefix=drive%2Cstripbooks%2C240&sr=1-1

 

Reality broken: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611

 

People centric security: https://www.amazon.com/People-Centric-Security-Transforming-Enterprise-Culture/dp/0071846778/ref=sr_1_1?dchild=1&keywords=people+centric+security&qid=1588733580&s=books&sr=1-1

 

Deep thought: a Cybersecurity novela: https://www.ideas42.org/blog/project/human-behavior-cybersecurity/deep-thought-a-cybersecurity-story/

 

https://elevatesecurity.com/

@modmasha

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Tuesday, May 5, 2020

2020-017-Cameron Smith, business decisions, and how it affects Security


Cameron Smith @Secnomancer

 

Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

 

CMMC:https://info.summit7systems.com/blog/cmmc

https://www.comptia.org/certifications/project - Project+

Cameron’s Smith = www.twitter.com/secnomancer

Cybersmith.com - Up by 14 April

 

Ask@thecybersmith.com

Cameron@thecybersmith.com

https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805

https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation

https://www.masterclass.com/

 

https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ

 

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.”― Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow

Original B-Sides Talk Blurb

SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.

Speaking Goal

After my presentation is over, I want my audience to...

  • Feel better about where they are as an infosec practitioner
  • Understand that most of Cybersecurity is largely NOT about the latest hack or technique
  • Failing is OK as long as you learn from it

...so that ...

  • When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
  • Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless

Intro

  • Security is a really crazy industry

    • Like the wild west out here
    • Constant threats
    • Complacent or ignorant clients/dependents
    • Resource and budget constraints
  • Security is really complex

    • There are SO. MANY. MOVING. PIECES.
    • There is a never ending stream of new information to learn and new threats to face
    • Security always involves at LEAST 4 parts
      • The practitioner - Hopefully you have backup!
      • What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
      • What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
      • What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
  • Cybersecurity/Information Security is simultaneously an old and new/emergent discipline

    • Cyber History
      • Old
        • Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
        • Phreaking in the 1960s
        • ARPANET Creeper - 1971
        • Morris Worm - 1988
      • New
        • Gartner Coined term SOAR in 2017
          • Yeah... It's barely 3 years old.
          • Now you can literally find job openings with SOAR Engineering titles
        • DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
        • Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
    • Most cybersecurity professionals over 30 do not have degrees in cybersecurity
      • Many don't even have Computer Science or IT related degrees
      • This is it's own problem
        • Training cyber pros, Chris Sanders, cognitive crisis, etc.
          • BDS ep 2019-021 and 2019-022
    • Emergent disciplines are challenging by default
    • You chose to play the game on hard mode for your first play through

Security really isn't as complicated as most people think

  • Occult Phenomenon
    • Things we don't understand we imagine to be far more complex
    • Things we anticipate we imagine to be far worse than they are
  • Grass isn't greener
    • Most security departments aren't doing better than you are
    • Maturity models aren't magic

Establish Credibility

  • I have been in A LOT of client environments in the last 12 years
  • Last time I checked, I have more than 350 discrete client engagements under my belt
    • I have worked with hundreds of internal, external, and hybrid IT and Security solutions
    • I've met the same tired and beleaguered IT/Security personnel over and over again
      • SSDD, very little actually changes from place to place
  • In that time, I've learned quite a bit about what makes security work
  • I've learned even more about what NOT to do
  • I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail

Very Large Company Examples

  • Big Four Bank Example

    • Situation
      • Four Local Branches in Midwest
      • Physical Security Assessment
        • How got onto site as cash machine servicer was incredibly easy
    • Problem
      • Absolute trust of vendors/vendor compromise
    • How do we as security practitioners fix it?
      • Good internal relationships with functional area leaders
      • Work closely with functional areas to left and to the right
        • Who? Operations? HR? Purchasing?
        • Every functional area and specifically the leadership
        • Improved communications and availability
        • 8 and Up
          • 'Gotta git gud' at the soft stuff
  • Top 50 Chain Restaurant Example

    • Situation
      • Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
    • Problem
      • Poor project management on behalf of security team led to project failure
      • A security problem became an IT problem
      • Contractor to subcontractor to subcontractor added time and complexity
    • How do we as security practitioners fix it?
      • Security managers needs to be aware of how their projects impact others
      • Managing up
      • Security needs to be interdisciplinary

Government Examples

  • Police Department Example

    • Situation
      • City Administrator got Spear Phished
    • Problem
      • Spear phishing
      • Poor logging
    • How do we as security practitioners fix it?
      • Look for the most basic problems and try to fix them
      • Find or create solutions that provide basic capabilities
      • Cannot prevent the lowest hanging fruit directly, so impact what you can change
        • What you can actually do about phishing
        • Getting people to do something that you want them to do
  • Defense SubContractor Example

    • Situation
      • Working with MSP on security issues
      • “Do we have a SIEM” email?
    • Problem
      • Company executives have never done due diligence
      • Assumed that MSP had it under control
      • MSP just did what they normally do and within letter of their contract
    • How do we as security practitioners fix it?
      • Security needs to be proactive

Small Company Examples

  • Light Manufacturer Example

    • Situation
      • Server not working, Ransomware
      • Attackers pivoted through third party accountant access
    • Problem
      • Single Point of Failure (SPOF)
      • Vendor Compromise
    • How do we as security practitioners solve it?
      • IT problems become security problems on long enough timeline
      • Need to provide actual solutions to business problems
      • Security CANNOT be decoupled from business needs
  • Telecommunications Provider

    • Situation
      • Employee reports CEO was hacked
    • Problem
      • Employee panicked, emailed everyone
      • Escalated way beyond what was necessary
    • How do we as security practitioners solve it?
      • Employee education - Boring answer
      • What's actually under our control here?
        • Clear processes for security incidents
        • Clear communications channels for employees with IT and security groups
        • Knowledge management
  • Local NGO Example

    • Situation
      • Meeting with Executive Director regarding server failure
    • Problem
      • Mentions that she was sent security guidelines from global parent org
      • Got so overwhelmed reading it she just closed it and kept working on something else
    • How do we as security practitioners solve it?
      • We have to make this information digestible and accessible
      • We do NOT need to make already dense subject matter even more inaccessible
      • When cannot mandate compliance, how do you achieve compliance
        • More flies with honey than vinegar
        • Build relationships - Layer 8 strikes again

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Wednesday, April 29, 2020

2020-016-Cameron Smith, Business decisions and their (in)secure outcomes - Part 1


Cameron Smith @Secnomancer

 

Layer8conference is virtual (https://layer8conference.com/layer-8-is-online-this-year/)

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

 

CMMC:https://info.summit7systems.com/blog/cmmc

https://www.comptia.org/certifications/project - Project+

Cameron’s Smith = www.twitter.com/secnomancer

Cybersmith.com - Up by 14 April

 

Ask@thecybersmith.com

Cameron@thecybersmith.com

https://en.wikipedia.org/wiki/Christopher_Voss https://www.amazon.com/Never-Split-Difference-Negotiating-Depended/dp/0062407805

https://www.masterclass.com/classes/chris-voss-teaches-the-art-of-negotiation

https://www.masterclass.com/

 

https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

https://www.youtube.com/playlist?list=PLg_QXA4bGHpvsW-qeoi3_yhiZg8zBzNwQ

 

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” Ernest Hemingway  https://www.goodreads.com/quotes/76281-there-is-nothing-noble-in-being-superior-to-your-fellow

Original B-Sides Talk Blurb

SITREP: A Consultant's Perspective from the Trenches of InfoSec In this session you will hear war stories and lessons learned consulting for hundreds of clients across dozens of verticals at every level, from bootstrapped startups with garage beginnings to Fortune 50 companies and everything in between. We will cover life on the front lines in InfoSec, ranging from individual contributions and staying relevant in a rapidly evolving field all the way to how bad most orgs are at InfoSec and what we can do as practitioners to help make them better.

Speaking Goal

After my presentation is over, I want my audience to...

  • Feel better about where they are as an infosec practitioner
  • Understand that most of Cybersecurity is largely NOT about the latest hack or technique
  • Failing is OK as long as you learn from it

...so that ...

  • When they go back to their office / SOC / client engagements on Monday they focus on the things that matter to their organizations
  • Hopefully feel a little bit less that the work they are doing is boring, exhausting, unappreciated, or hopeless

Intro

  • Security is a really crazy industry

    • Like the wild west out here
    • Constant threats
    • Complacent or ignorant clients/dependents
    • Resource and budget constraints
  • Security is really complex

    • There are SO. MANY. MOVING. PIECES.
    • There is a never ending stream of new information to learn and new threats to face
    • Security always involves at LEAST 4 parts
      • The practitioner - Hopefully you have backup!
      • What you're protecting - Employer, Client, System, Application, Data, SOMETHING, etc
      • What you're protecting it from - External TAs, Internal TAs, Incompetence, Apathy, Plain Ol' Vanilla Constraints, etc
      • What you have to protect it with - Budgets, Time, Personnel, Training, Relationships, etc
  • Cybersecurity/Information Security is simultaneously an old and new/emergent discipline

    • Cyber History
      • Old
        • Nevil Maskelyne / Guglielmo Marconi wireless telegraphy attack and Morse code insults - 1903
        • Phreaking in the 1960s
        • ARPANET Creeper - 1971
        • Morris Worm - 1988
      • New
        • Gartner Coined term SOAR in 2017
          • Yeah... It's barely 3 years old.
          • Now you can literally find job openings with SOAR Engineering titles
        • DevSecOps - Amazon presentation in 2015? Not even in grade school yet.
        • Average enterprise is running 75 security tools in their environment (Cybersecurity almanac 2019)
    • Most cybersecurity professionals over 30 do not have degrees in cybersecurity
      • Many don't even have Computer Science or IT related degrees
      • This is it's own problem
        • Training cyber pros, Chris Sanders, cognitive crisis, etc.
          • BDS ep 2019-021 and 2019-022
    • Emergent disciplines are challenging by default
    • You chose to play the game on hard mode for your first play through

Security really isn't as complicated as most people think

  • Occult Phenomenon
    • Things we don't understand we imagine to be far more complex
    • Things we anticipate we imagine to be far worse than they are
  • Grass isn't greener
    • Most security departments aren't doing better than you are
    • Maturity models aren't magic

Establish Credibility

  • I have been in A LOT of client environments in the last 12 years
  • Last time I checked, I have more than 350 discrete client engagements under my belt
    • I have worked with hundreds of internal, external, and hybrid IT and Security solutions
    • I've met the same tired and beleaguered IT/Security personnel over and over again
      • SSDD, very little actually changes from place to place
  • In that time, I've learned quite a bit about what makes security work
  • I've learned even more about what NOT to do
  • I want to share some of that with you today so you can see how organizations of all shapes and sizes can fail

Very Large Company Examples

  • Big Four Bank Example

    • Situation
      • Four Local Branches in Midwest
      • Physical Security Assessment
        • How got onto site as cash machine servicer was incredibly easy
    • Problem
      • Absolute trust of vendors/vendor compromise
    • How do we as security practitioners fix it?
      • Good internal relationships with functional area leaders
      • Work closely with functional areas to left and to the right
        • Who? Operations? HR? Purchasing?
        • Every functional area and specifically the leadership
        • Improved communications and availability
        • 8 and Up
          • 'Gotta git gud' at the soft stuff
  • Top 50 Chain Restaurant Example

    • Situation
      • Doing Chip Reader refreshes across all ~600 locations for PCI Compliance during 2017 window
    • Problem
      • Poor project management on behalf of security team led to project failure
      • A security problem became an IT problem
      • Contractor to subcontractor to subcontractor added time and complexity
    • How do we as security practitioners fix it?
      • Security managers needs to be aware of how their projects impact others
      • Managing up
      • Security needs to be interdisciplinary

Government Examples

  • Police Department Example

    • Situation
      • City Administrator got Spear Phished
    • Problem
      • Spear phishing
      • Poor logging
    • How do we as security practitioners fix it?
      • Look for the most basic problems and try to fix them
      • Find or create solutions that provide basic capabilities
      • Cannot prevent the lowest hanging fruit directly, so impact what you can change
        • What you can actually do about phishing
        • Getting people to do something that you want them to do
  • Defense SubContractor Example

    • Situation
      • Working with MSP on security issues
      • “Do we have a SIEM” email?
    • Problem
      • Company executives have never done due diligence
      • Assumed that MSP had it under control
      • MSP just did what they normally do and within letter of their contract
    • How do we as security practitioners fix it?
      • Security needs to be proactive

Small Company Examples

  • Light Manufacturer Example

    • Situation
      • Server not working, Ransomware
      • Attackers pivoted through third party accountant access
    • Problem
      • Single Point of Failure (SPOF)
      • Vendor Compromise
    • How do we as security practitioners solve it?
      • IT problems become security problems on long enough timeline
      • Need to provide actual solutions to business problems
      • Security CANNOT be decoupled from business needs
  • Telecommunications Provider

    • Situation
      • Employee reports CEO was hacked
    • Problem
      • Employee panicked, emailed everyone
      • Escalated way beyond what was necessary
    • How do we as security practitioners solve it?
      • Employee education - Boring answer
      • What's actually under our control here?
        • Clear processes for security incidents
        • Clear communications channels for employees with IT and security groups
        • Knowledge management
  • Local NGO Example

    • Situation
      • Meeting with Executive Director regarding server failure
    • Problem
      • Mentions that she was sent security guidelines from global parent org
      • Got so overwhelmed reading it she just closed it and kept working on something else
    • How do we as security practitioners solve it?
      • We have to make this information digestible and accessible
      • We do NOT need to make already dense subject matter even more inaccessible
      • When cannot mandate compliance, how do you achieve compliance
        • More flies with honey than vinegar
        • Build relationships - Layer 8 strikes again

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

Tuesday, April 21, 2020

2020-015-Tanya_Janca-Using Github Actions in your Devops Environment, workflow automation


Github actions - https://github.com/features/actions

How are these written? 

It looks like a marketplace format? How do they maintain code quality?

What does it take setup the actions?

It looks like IFTTT for DevOps?

What kind of integrations does it allow for? Will it handle logins or API calls for you?

Is it moderated in some way? What’s the acceptance criteria for these?

What are you trying to accomplish by using Github Actions?
What are the benefits of using these over XX product?

What is gained by using this?

 



Mention twitch Channel and when (join the mailing list)

Github actions “Twitch.tv/shehackspurple”

 

Coaching, Project Management, Scrum Management

 

Alice and Bob learn Application Security - Wylie - Fall/Winter 2020



Links:

https://shehackspurple.dev

https://mailchi.mp/e2ab45528831/shehackspurple

https://twitter.com/shehackspurple

https://dev.to/shehackspurple

https://medium.com/@shehackspurple 

https://www.youtube.com/shehackspurple  

https://www.twitch.tv/shehackspurple

https://www.linkedin.com/in/tanya-janca

https://github.com/shehackspurple/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!