Engagement Zen: Transforming IT & the Business through Security for Fun + Profit

Recently I presented a talk at BSides Detroit 2014. It was a fantastic experience. The organizers were excellent. The audience was great. I loved standing up on stage in front of people for the first time in almost two years. The feedback was constructive and wonderful. I look forward to continuing the conversation and presenting this talk at other events.

What’s the talk about? It’s about how Security is a different entity inside of any business, assuming Security’s role persists in-house and not out-sourced. Security Professionals cross all the silos that a traditional IT organization creates and isolates themselves with (DBAs, AppDev, Linux SysAdmins, Windows SysAdmins, Network, etc.). Security Professionals see and interact with parts of the business that IT typically doesn’t (HR, Legal, Finance, R&D, etc.). This provides Security with a unique perspective.

Security must leverage their unique position to make a positive and memorable impact with IT and the business. Spreading Fear, Uncertainty & Doubt (FUD) isn’t the way. Conveying the message that the sky is falling isn’t the way. Constantly saying “no” isn’t the way.

What is the way? Talk with IT & the Business. But don’t talk with them about what you want, which is Security. Talk with them about what they want. Ask them about their fears and concerns and problems and what they wish they could do but don’t know how to do.

I wanted to come up with an approach that wouldn’t need approval or bureaucracy or some management intervention. I wanted something anyone could do at zero cost at any time with little to no gear needed.

And thus: Interview them. See the slide deck for how to go about this.

If you can solve a problem of IT &| the Business, one that leverages Security’s unique view inside of the organization, then they will want to engage with Security in the future. If done properly they will seek you out, accept when you engage, and consider you a trusted advisor.

It also has the benefit of action. That is much preferred versus waiting for someone to realize that security is important.

Several people have asked where to get my slide deck for the talk. You can get it from Dropbox here.

Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com

October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.

Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.

Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.

via Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com.

Hackers target high profile domains – Securelist

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

via Hackers target high profile domains – Securelist.

Read on for the details and the two interesting indicators.

ISC Diary | Microsoft October 2013 Patch Tuesday

Overview of the October 2013 Microsoft patches and their status, via ISC Diary | Microsoft October 2013 Patch Tuesday.

Microsoft scores these as four critical and three important patches. The ISC’s scoring is more refined, so read the article for the breakdown grid. The big news is the fix for the IE vulnerabilities.

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggresive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other antivirus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.

via Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog.

I’m just starting to read up on this. Does anyone know of reliable secondary sources?

Securing More Vulnerabilities By Patching Less — Dark Reading

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco — now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm — duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

via Securing More Vulnerabilities By Patching Less — Dark Reading.

Hmm. This is, to me, a new take on patch management. It oddly falls in with a discussion I had almost two years ago, oddly in that my peers and I came up with the same concept for different but related reasons.

What do you think?

Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches

External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.

via Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches.

Read the article for the details, but the four problem areas are:

  1. Asset management and putting in place proper protection mechanisms for those assets
  2. Not knowing or understanding the “principle of least privilege” (I’d also add “default deny”) and “need to know”
  3. Security training and awareness
  4. Shared credentials and password resuse

In my opinion items 1, 2, and 4 tie into my preference for dealing with security’s “low hanging fruit”, the basic tenets we all should do 100% of the time. Security awareness and training has value, but I think there’s too much focus on it. That focus takes time, money, and effort away from those security tenets I mentioned before.

 

ISC Diary | Tools for reviewing infected websites

At the ISC we had a report today from Greg about obfuscated Javascript on the site hxxp://fishieldcorp.com/. A little research revealed that this site has been infected in the past. Nothing extraordinary, just another run of the mill website infection.

What did strike me is how the nature of this research has changed in recent years. Not so long ago checking out a potentially infected website would have involved VMs or goat machines and a lot of patience and trial and error. Today there are so many sites that will do the basics for you. Greg sent us a link to URLQuery which displays a lot of information about a website including the fact that this one is infected.

via ISC Diary | Tools for reviewing infected websites.

Cisco launches open-source tool for penetration testers | ZDNet

Cisco has opened up access to Kvasir, which helps penetration testers worldwide assess the security levels of computer systems at a glance.

In a blog post, Kurt Grutzmacher, solutions architect at Cisco’s Security Practice Advanced Services team, said that the tool was initially created for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team to keep track of the tests and data collected by the firm’s penetration testers.

A pen test is a way to test a system’s security standard by simulating a cyberattack.

During typical assessments of network security, pen testers may analyze between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, and then they have to collect, sift through and document the results.

via Cisco launches open-source tool for penetration testers | ZDNet.

Now You See Me – H-worm by Houdini | FireEye Blog

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

via Now You See Me – H-worm by Houdini | FireEye Blog.

%d bloggers like this: