Engagement Zen: Transforming IT & the Business through Security for Fun + Profit

Recently I presented a talk at BSides Detroit 2014. It was a fantastic experience. The organizers were excellent. The audience was great. I loved standing up on stage in front of people for the first time in almost two years. The feedback was constructive and wonderful. I look forward to continuing the conversation and presenting this talk at other events.

What’s the talk about? It’s about how Security is a different entity inside of any business, assuming Security’s role persists in-house and not out-sourced. Security Professionals cross all the silos that a traditional IT organization creates and isolates themselves with (DBAs, AppDev, Linux SysAdmins, Windows SysAdmins, Network, etc.). Security Professionals see and interact with parts of the business that IT typically doesn’t (HR, Legal, Finance, R&D, etc.). This provides Security with a unique perspective.

Security must leverage their unique position to make a positive and memorable impact with IT and the business. Spreading Fear, Uncertainty & Doubt (FUD) isn’t the way. Conveying the message that the sky is falling isn’t the way. Constantly saying “no” isn’t the way.

What is the way? Talk with IT & the Business. But don’t talk with them about what you want, which is Security. Talk with them about what they want. Ask them about their fears and concerns and problems and what they wish they could do but don’t know how to do.

I wanted to come up with an approach that wouldn’t need approval or bureaucracy or some management intervention. I wanted something anyone could do at zero cost at any time with little to no gear needed.

And thus: Interview them. See the slide deck for how to go about this.

If you can solve a problem of IT &| the Business, one that leverages Security’s unique view inside of the organization, then they will want to engage with Security in the future. If done properly they will seek you out, accept when you engage, and consider you a trusted advisor.

It also has the benefit of action. That is much preferred versus waiting for someone to realize that security is important.

Several people have asked where to get my slide deck for the talk. You can get it from Dropbox here.

Road Work Blues

I’m not sure who in the Michigan Department of Transportation (MDOT) or the Road Commission for Oakland Country (RCOC) decides that late October is a good time for beginning road work. I’m also not sure who decides how they’ll handle lane closures or sign the work.

And I’m not sure who is actually doing the construction as there were no signs, no trucks, and no workers working.

Whomever they are, they need training.

Case in point: the Woodward Ave/Main St./Washington Ave./I-696 work. There are multiple bad decisions and lack of planning mistakes here.

  1. From Washington Ave to southbound Woodward, two left turn lanes immediately become one after the turn with no warning signage.
  2. From Main St./I-696 westbound access to southbound Woodward, the same issue as above in a different spot.
  3. From eastbound I-696 access to northbound Woodward, the same issue.
  4. I suspect that there are other pain points based on the almost 60 minutes it took me to travel 0.25 miles.

Meanwhile we’re expecting our first snowfall, so this week makes a questionable candidate for road resurfacing.

Have you run into this fine bit of road work? Where are your commute pain points?

Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com

October has always been John Flynn’s favorite time of year, but this year, it’s even better. He gets to spend the month trying to hack into a fleet of Facebook computers equipped with a new kind of security tool — a tool that takes computer security beyond the password.

Since jumping to Facebook from his job at Google a few years ago, Flynn has been part of the Facebook security team that masquerades as bad guys during the month of October, doing their best to bust into the corporate network that underpins the social networking giant. They call it “Hacktober,” and the idea is to find the holes where the real bad guys might attack the company. Last year, Flynn and other Facebook security engineers created a fake news story designed to spread a computer worm around the network.

Flynn — who goes by the nickname “Four” — won’t say what’s in store for Facebook’s employees this October, but one thing seems certain: Hacking them is going to be that much more of a challenge. Over the past year, the company has equipped many employee systems with Yubikeys, a little pieces of hardware that let employees securely log into machines with the tap of a finger. This nifty tool can make it that much harder for hackers to bust into a corporate network and do whatever they want — even if the hacker manages to take command of an authorized network machine.

via Facebook Pushes Passwords One Step Closer to Death | Wired Enterprise | Wired.com.

Hackers target high profile domains – Securelist

During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.

When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a “new” trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.

via Hackers target high profile domains – Securelist.

Read on for the details and the two interesting indicators.

Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog

FireEye researchers have discovered a rapidly-growing class of mobile threats represented by a popular ad library affecting apps with over 200 million downloads in total. This ad library, anonymized as “Vulna,” is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. Vulna is also plagued with various classes of vulnerabilities that enable attackers to turn Vulna’s aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. Most vulnaggresive libraries are proprietary and it is hard for app developers to know their underlying security issues. Legitimate apps using vulnaggresive libraries present serious threats for enterprise customers. FireEye has informed both Google and the vendor of Vulna about the security issues and they are actively addressing it.

Recently FireEye discovered a new mobile threat from a popular ad library that no other antivirus or security vendor has reported publicly before. Mobile ad libraries are third-party software included by host apps in order to display ads. Because this library’s functionality and vulnerabilities can be used to conduct large-scale attacks on millions of users, we refer to it anonymously by the code name “Vulna” rather than revealing its identity in this blog.

via Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions | FireEye Blog.

I’m just starting to read up on this. Does anyone know of reliable secondary sources?

Securing More Vulnerabilities By Patching Less — Dark Reading

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco — now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm — duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

via Securing More Vulnerabilities By Patching Less — Dark Reading.

Hmm. This is, to me, a new take on patch management. It oddly falls in with a discussion I had almost two years ago, oddly in that my peers and I came up with the same concept for different but related reasons.

What do you think?