This past week I presented on getting started building a home lab at CircleCityCon and ShowMeCon. Below are the resources and content Chris Maddalena and I created around the topic.
Improve WordPress security in three steps
WordPress websites allow individuals or organizations to get a website stood up quickly. With easy customization, WordPress is a flexible and powerful platform for websites. Unfortunately, because they're easy to setup security often times gets overlooked. Outdated and unused plugins can lead to compromised website. That compromise is typically in the form of redirects to malicious sites that try to install malware on a visitors machines. Most of the time an owner is unaware of the compromise.
All hope is not lost. There is a way to securely run a WordPress site.
These three practices will help maximize security on a WordPress site:
Run only the programs needed
Run a security plugin like iThemes
Keep all plugins up-to-date.
The theme here is plugins. WordPress itself is a well built platform. The security issues that arise from the core are minimal. What makes WordPress sites vulnerable are plugins. The reason for that is that anyone can create a plugin.
Only run the plugins needed
I get it. We see a plugin we like and install it on the site to try it out. We forget about it or we deactivate it to try another plugin. That plugin sits there and sits there. And sits there. And sits there. If a plugin has been sitting there for a while remove it. A deactivated plugin is vulnerable to exploitation. If it’s deactivated remove it. It's just as easy to reinstall later.
If this is for an organization the same IT principles apply. Deactivate any active plugins that seem unnecessary or unused. Wait for a period of time to ensure there are no adverse affects, then remove it. A plugin installed on the site, even if it is deactivated, is still vulnerable to a malicious actor.
Run a security plugin
There are plenty of good security plugins available for WordPress. A security plugin will add more features and settings to help make a site more secure. Here is a list of seven courtesy of Infosec Institute . I’ve only used iThemes, so I can’t speak to the quality of the others. Try out a few and see which one works the best. Remember the section above.
Keep WordPress and plugins up-to-date
Most vulnerabilities in WordPress-based sites aren’t from WordPress. They are usually from the plugins installed on the site. The core itself is pretty solid. The plugins are usually what make the site vulnerable. Look for plugins that are kept updated. Then update when a new version is available. It’s as simple as that.
The update process is quick and painless. Make sure to have good backups. Some hosting providers will provide this feature. Login to the site weekly to check for an update. A weekly reminder works wonders.
Conclusion
Only run plugins needed on the website. That means removing all unused plugins. Install a plugin for security. There are several available. I’m the most familiar with iThemes, which is why I recommend that plugin. Try out a few and find one that fits the website the best. Keep all plugins up-to-date. Even if the website isn’t logged into on a regular basis. Set a reminder and login once a week to check for updates.
WordPress sites are one of the most vulnerable platforms out there. One of the reasons for that is that a lot of people use it. A lot of people use it, because it is an easy platform to setup and maintain. That goes for security on the platform as well. Follow the three pieces of advice above and help make the internet a safer place.
This post first appeared on Exploring Information Security.
NSA TAO Chief Rob Joyce on network defense
The above video is from the USENIX Enigma conference, in which Rob Joyce, Chief, Tailored access Operations, of the National Security Agency spoke. He spoke from the attackers perspective and gave some best practice advice and recommendations. Those that have been in the information security perspective for any extended period of time won't be surprised, but it's worth repeating.
I would recommend watching the video. It's only about 35 minutes long. If you don't have the time here are some notes I took on the talk.
BEST PRACTICES
Perform a third-party penetration test
Fix the items in the penetration test report
"You have to be continually defending and improving"
Understand the normal baseline for the traffic on the network
Monitor the network
Least privelege
Network segmentation
Enable and audit logs
Application white-listing (at the very least do high risk assets)
Anti-virus - reputation services
Incident response plan
RECOMMENDATIONS
This post first appeared on Exploring Information Security.
Security and SDLC: Getting started and working with others
Getting security into the software development life cycle (SDLC) seems easy. Just write good code and wallah security is in an application. That would be nice, but unfortunately, it doesn’t work like that.
The very first step to implementing security in the SDLC is to have support from leadership. I was lucky enough to have that when I was tasked with this responsibility. Before a new application went live, management asked if security had reviewed the application. Simple. Sweet. It made my job a lot easier. I didn’t have to constantly track down applications or bang the developers over the head. They were coming to me. Which was important in improving the process as the security assessment program matured.
The next step is to get familiar with the tools. OWASP ZAP and Burp Suite are two low-cost tools that can help with performing a security assessment. ZAP is free and Burp Suite costs $350 for the professional version. I’ve covered ZAP in a previous post. Both tools have plenty of resources available to start diving into.
I highly recommend training. I took SANS 542 and it helped tremendously. I learned a lot about the methodology and vulnerabilities associated with application security. If you happen to be in the southeast you may be able to catch a Tim Tomes training course. Troy Hunt’s stuff on Pluralsight is also a really good resource.
Security should be implemented at all stages of the SDLC. Which means a security person should be involved in the early stages, as well as the late stages. The should be at planning meetings making recommendations. They should also be tracking and checking in on progress. Towards the end is where the actual security assessment occurs using tools like ZAP or Burp, but the work doesn’t end there. Confirming findings and generating a report starts the next phase. Finally, Remediation is an important step and requires working closely with the development team.
Working with developers and system administrators
Working with other departments is vital in implementing strong security. For simplicity sake I’m going only going to mention developers. However, don't forget the system administrators. Developers build the applications and the sysadmins are the ones that maintain it. Some findings will require the help of sysadmins configuring the servers that run these applications. Do not overlook them.
There are two big no-nos in working with other departments. Not confirming findings and not providing guidance on findings that need to be resolved.
Confirming findings is very important. Each false positive that a developer finds is credibility the security team loses. Developers have enough on their plate, with applications to build and ambitious deadlines to meet. They don’t need to spends hours on a problem only to find out that the security team made a mistake. Scanners do make mistakes. Make sure each findings are confirmed and can be explained. This goes along with the second part.
Work with the developers to resolve the findings. Vulnerabilities in code will need the security team's help in remediation. Developers are really smart. In my situation, a lot of the time, the developers knew how to fix the issue. But other times, I had to help them research a solution. New vulnerabilities are being discovered daily and it's the security team's responsibility to be on top of them.
One of the benefits of helping developers resolve issues is that it gives us an opportunity to build a better relationship with them.
Building a relationship allows for an easier transition to security. As I mentioned earlier, developers are under a lot of pressure to get things up and out. Security can come in and add more pressure or it can allow them to make better applications. Enabling them to do their best is our goal. A relationship with the developers will make that transition much smoother.
How to build a better relationship
Ask the questions. People love talking about what they do, especially, if they’re passionate about it. Ask questions and show an interest in their work. Coming from a non-development background meant I had a lot to learn. Which gave me plenty of opportunities to ask questions. By making an effort to understand their work, I gained credibility as a problem solver. I showed that I wanted to understand their work.
Help solve the problems. ZAP reports have a reference and solutions section. Go through those. Get on Google. Review YouTube videos. Read blog posts. Do whatever is needed to understand the fixes for code. Then dive into the code with the developers to understand the fix. Provide the developers with as many resources as possible to get the job done and then learn from them.
Teach them the tools. This goes back to implementing security at all stages of the SDLC. The earlier issues are caught, the less it will cost to resolve. This is where leadership support comes into play. With leadership ensuring that the SDLC ran through the security team it helped create the story below.
Storytime
After running several security assessments for new applications, the developers wanted to know more about the tool I was using. If they’re going to have to run an application by me, they want to understand the tool I'm using. Each time I found something meant time we had to go back and remediate and then re-scan. So, I started showing them how to run ZAP. I did one-on-ones with developers and held training sessions on the use of the tool. Something amazing happened as a result of that.
One day, we started receiving reports that a scam email was being sent to customers via our service. The thought was that as people signed up for a new account, they would receive a scam email. Not something we wanted to take lightly. While I investigated the message of the scam, I asked one of the developers to go create an account. The idea was to see if the scam email did in fact come after account creation. So he did.
He returned to me and told me that there was no scam email after account creation. He then handed me the ZAP report. Wait. A ZAP report? Mind blown. I hadn’t even asked him to use ZAP while checking for the scam email. I had intended to do that myself, but he went ahead and did it.
That likely doesn't happen if leadership isn't committed to security.
*By the way, ZAP wasn’t built by someone in security. It was built by Simon Bennetts, a developer. This tool was built by a developer, for developers. Security people just thought it was a neat tool.
Conclusion
Leadership support is important to the successful implementation of security into the SDLC. Tools are a wonderful way to get started with finding vulnerabilities. They are by no means perfect. As the program matures more manual and in-depth testing is needed. Training can help with that. Also, stay on top of the latest application security news. There's something new every day.
Security needs to be implemented at all stages. Which means attending developer planning meetings. Tracking project status. More importantly, understanding the business needs in application development. Interviewing and meeting with project managers and developers individually.
Finally, work with the developers and sysadmins to resolve issues. Be there as a resource and a student to their craft. Ask questions. Solve problems. Teach them the tools. It will go a long way in enabling them to be better.
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - PDQ Deploy for patch management
Patch management is one of the hardest initiatives to solve for an organization. Setting up a Microsoft Windows Server Update Services can help with Windows updates. Third-party software patching is a bit trickier. Secunia and other options are available for those with the financial resources. For everyone else I recommend PDQ Deploy.
What is PDQ Deploy
PDQ Deploy is an Admin Arsenal offering. It’s free to download and use. The free version is limited, but can give you an idea of what to expect with the program. The enterprise version costs $500 and well worth it.
The program helps to solve patch management, but it can also function as a general software deployment solution. In my previous post, I talked about EMET. PDQ Deploy is the tool I used to easily deploy EMET to my environment. Packages come pre-configured. No parameters or variables need to be set. Just download, select your target computers, and fire. If the need arises, packages are modifiable, however.
Why patch management is important
Patch management helps keep systems from getting exploited. PDQ Deploy provides a simple way of downloading third-party updates and pushing them. Yet another Adobe Flash update? PDQ Deploy it. I have so much confidence in the tool that I would deploy Adobe Flash updates during the day. Maybe not something you want to do with everything (and not something I would recommend doing the first time), but Flash deployed without issue.
PDQ Inventory ($500 enterprise version) another Admin Arsenal offering, will help with automating the process. FULL DISCLOSURE: I did not get an opportunity to try out PDQ Inventory. We ended up integrating PDQ Deploy with a different inventory software (another plus). Below is a video that walks through how to use PDQ Deploy and Inventory to setup automated patching for Adobe Flash. These guys have a great YouTube channel, by the way, that walks through several different features and functions of the PDQ products.
PDQ Deploy by itself is a software pusher. It does not check for version on the current machine. It won’t care if the software is on the machine or even needs the update. The problem with that is that it increases the attack surface on the machine. PDQ Inventory combined with PDQ Deploy will work to determine version or if it’s installed on the machine, in the first place. As mentioned earlier, PDQ Deploy has the potential to work with other inventory software. Which is beneficial if there is something already in place. If not, check out PDQ Inventory. If it's as half as good as PDQ Deploy, it's a win for you.
How to use PDQ Deploy
Open PDQ Deploy (or go to Admin Arsenal's YouTube channel).
The left pane is for navigation. The Package Library is where software packages are downloaded. Packages is where all the downloaded packages can be viewed.
To download a new package, search for the software package by Categories or Vendors. I typically searched Vendors, because I knew what I wanted (Adobe Flash gets updated a lot). For this example we’ll use Adobe to grab the Flash package. Go to Package Library -> Vendors -> Adobe. Highlight Flash and then click the Import Selected button in the top right corner. The package will download and appear under Packages. Highlight the package and then click the Deploy button and Deploy Once in the top right corner. This is also where packages can be edited or scheduled to run if necessary.
Click the Choose Targets button and select how to deploy the package. Packages can be deployed via:
Active Directory
PDQ Inventory
Spiceworks
Target List
Text File
For my test group I usually put all my IP Addresses in a text file and then pushed using the text file option. Use what is best for your specific environment. The selected machines will appear in the target window. The program will run a communications check on all the machines. Once that finishes click the Deploy Now button.
The window will close and the deployment begins. Progress can be viewed in the package view. Click on the deployment to show the progress of the deployment, and that’s pretty much it.
One final note. Credentials will probably need to be setup. To set this up, click on FILE in the top left and then click Preferences. Click Credentials in the left pane and then the Add Credentials button.
Conclusion
Patch management is a big challenge for organizations. Thankfully, PDQ Deploy can meet that challenge and may even exceed it. The program is intuitive, easy-to-use, and fits nicely in a small budget. On it's own PDQ Deploy is a powerful tool that helps get patch management under control. Combined with PDQ Inventory patch management will be a piece of cake.
This post wraps up my Blue Team Starter Kit series. Feedback is welcome. Any correct or clarification requests can be sent to timothy.deblock[at]gmail[dot]com. The introductory post can be found here.
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - Computer hardening with EMET
EMET is awesome.
Microsoft's Enhanced Mitigation Experienced Toolkit (EMET) is also free and adds an extra layer of protection to computers. Released in the fall of 2009, EMET is currently at version 5.2, with a 5.5 beta available for download. Each application and program on a Windows-based computer runs in a predefined way on a Windows-based OS. When malware infects a machine, it tries to take advantage of the predefined interaction. EMET attempts to hide that interaction from malicious software. This article will explore more of this idea, as well as talk about how to deploy it to an organization.
What is EMET?
When Windows XP was nearing end of support, we realized that we weren’t going to meet that date. This lead me to research ways of mitigating this issue. Soon after I discovered the EMET.
This wonderful tool added another layer of protection to our machines. The user guide has a good technical breakdown on all the protection features. The gist of it is that EMET attempts to randomize or hide how applications interact with the Windows OS. When malicious code attempts to run using a predictable process, EMET blocks and alerts on it.
EMET can be installed in the enterprise or even on a home computer. At home, simply download and install.
It's interface is easy to use. The main window features the ability to enable, disable, or opt-in applications to the defense features. It also shows the processes EMET is protecting. Navigate to the "Application Configuration" window by clicking the Apps button. Here is where individual protections can be enabled or disabled for applications.
These two windows are the main windows for configuring most of EMET's functionality. We'll talk more about configuration as we dive into deploying EMET.
How to deploy EMET
EMET can be deployed any number of ways. If your organization has Microsoft System Center Configuration Manager, congratulations you win! If you don’t deployment will be a bit trickier, but still painless. The article next week will cover PDQ Deploy. Which is a low-cost option for deploying EMET (as well as other software). Before EMET can be deployed some preperation work needs to be done..
I would highly recommend deploying it to a group of test users. To setup a test group, identify one user and computer from each department. The more people added to the group the better. Try to have a good relationship with these people. A relationship is key to getting prompt and informative feedback on any issues. Offer up something like personalized help for issues with EMET.
The reason for the test group is to ensure that the computers in an organization work with EMET. As great as EMET is, it can have issues with certain programs on the computer. I deployed EMET 4.0 to my organization without a hitch. I tried to push 5.0 and derped Microsoft Office and IE on all developer and mainframe machines. That was a fun morning! I resolved the issue on each computer quickly, but it caused some consternation. Do it once or twice and people will eventually forgive you. Do it more than that and it will be much harder to get new security initiatives deployed.
To configure EMET, Open the interface by right clicking on the icon in the bottom right corner of the screen. The main interface shows the protections and the process EMET is running on. Protection profiles can be imported or exported. Clicking the Import button will have some predefined profiles to use including:
CertTrust
Popular Software
Recommended Software
Start with Recommended Software.
Next, click Apps to open the Application Configuration interface. This interface allows for the configuration of each individual protection on specific applications. When an application is blocked by EMET, a small pop-up will appear in the bottom right corner of the screen. The pop-up contains information for what application and what defense fired. This is useful for troubleshooting when a legitimate application is blocked. To resolve the issue, uncheck the protection for the that application. EMET requires a reboot after each change, but the issue may be resolve after unchecking the box.
That's the general idea of configuring EMET. Each organization and department is unique. Finding the right configuration can take time.
After finding the best configuration for your organization, you'll want to have central control of the configuration. This is possible with Group Policy. Group Policy allows for control of the options on the main interface. To gain control of the Application Configuration window a logon script will need to be setup.
There are a few different ways to get the options for EMET to show up in Group Policy. There will be links at the bottom of this post leading to those options. One of the great things about EMET is that a lot of information security professionals have written about it. The method I used was to drop an .adml and .admx file onto one of the Domain Controllers.
Check the more resources section for different methods on getting control of EMET.
Conclusion
I'll reiterate the opening statement: EMET is awesome. It's free. Easy to use. There's been a lot of article and guides written on it. Best of all it adds an extra layer of protection to machines. There is some work and planning involved, but it will pay off in the end.
More resources
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - Forensics with Redline
“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.
What is Redline?
It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).
The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.
The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs). MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.
Alternative Tools
Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.
There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*
*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.
How to use Redline
Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.
Still with me? Let us proceed.
Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.
*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.
When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.
To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.
Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.
After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.
For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).
Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.
That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.
The tool and its alternatives are much deeper and offer valuable information for decision making.
Conclusion
With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.
Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - ZAP for application security
I remember hearing about ZAP on my ride into work, listening to Security Weekly. After a little researched I discovered that it was a tool supported by the Open Web Application Security Project. OWASP is an open source non-profit organization focused on providing better application security to organizations. The best part about the tool is that it is free!
What is ZAP?
ZAP stands for Zed Attack Proxy. Named such by Simon Bennetts who told me that he really wanted to name the tool ZAP (OWASP. Bugs. Get it?). Simon is not a security person by trade. He’s a developer and built the tool to help developers write better code. It just so happened that security people found the tool and started using it.
Setting up ZAP as a proxy allows for a tester to run through an application and find vulnerabilities. It uses the methods in OWASP’s Top 10 as part of its scan. I’ll get into the methodology of using the tool later. This automates and streamlines a lot of testing. Beware, the scanner is not perfect (no scanner is). Confirming vulnerabilities found by the tool is a very important part of the process. One false positive with developers and we lose credibility.
After testing is complete ZAP has an export report feature. The report can be exported in either an HTML or an XML format. The HTML is great for working with developers and researching and confirming each finding. With the XML format, a tool like ThreadFix or Dradis can be used to help track vulnerabilities.
The tool also has advanced features for further digging into the application. This is great as a tester gets more comfortable and better with the tool he has an opportunity to dig deeper into an application.
The alternative
The alternative to ZAP is Burp Suite. It does a lot of the same things that ZAP does with some minor differences. Burp has two versions: A community version (free); and a premium version (paid). The premium version costs $300 a year. For those looking to make a career in application security, getting familiar with Burp is a must. Learning both is a plus. Each tool has it's strengths and weaknesses.
How to get started
Download ZAP from the OWASP website and install. Launch the application. The first screen you will see is asking, “Do you want to persist the ZAP Session?” Persisting the session will allow you to close and re-open the ZAP session quickly. You can either:
YES Persist: Save it in the default directory (first option)
YES Persist: Specify the name and location (second option)
Do Not Persist: Or don't bother (third option)
If you intend to save your own sessions then select the third option.
One of the first things available when ZAP opens, is the Quick Start tab. This can be used to perform a very quick, top-level scan. To dig much deeper into an application it will need to be setup as a proxy. To do this go to: Tools -> Options -> Local proxy.
Select your settings (or leave everything default). Then open internet options. Click the Connections tab and click the LAN settings button. Under the Proxy server section check the box for “Use a proxy server for your LAN.” Make sure the Address field says "localhost" (default) and the Port field reads "8080" (default). Click OK and then Apply. ZAP is now intercepting all internet traffic. This includes any browsers or applications using the internet. I recommend running the application assessment from a separate machine or virtual machine. As a proxy it will collect all internet traffic your computer performs. Including browser traffic and any updaters installed.
Now that we’re setup, time to test.
Methodology
Run through the entire application. When I say the entire application, I mean the ENTIRE APPLICATION. Click on every link and button. Fill out every field and submit forms. This is best done in a test environment which developers should have. Coordinate with them for any functions that need handling on their end. Once the application has been explored, it’s time to use ZAP to map the rest of the application.
Before we do that though, it is a good idea to exclude any sites you don’t want to run ZAP on. Right-click any sites you want to exclude. Select Exclude From Proxy and click OK. There is some flexibility here, but for the most part I just exclude the sites from the proxy all together.
To map the application ZAP uses a Spider. Right-click the site, highlight Attack, and select Spider. The spider will run through the application and map it. The more the application was explored by the tester, the more it will find. ZAP also features an Ajax Spider attack for ajax content. This will open a browser, run through the website, and map the ajax content in the application.
After running the spider function, run the forced browse attack. This function will use a text file with common directory names to look for hidden directories. This attack can usually take several hours to run, depending on the size of the list. ZAP supports user created lists.
Active scan is run next. This is where discovery of vulnerabilities of the application occurs. The function will run through techniques in the OWASP Top 10. Clicking on the heartbeat monitor icon will allow you to watch the progress of the scan.
I want to mention one other type of attack that may or may not be used. The Fuzz attack or fuzzer. This is typically used for things like user enumeration (username discover). The attack allows for requests sent to be modified using a text file. This allows for the automation of sending many modified requests to the application. Viewing the responses we can build a list of usernames in automated and quick fashion.
Once the Active Scan completes we have a (hopefully not long) list of vulnerabilities. Export and view a report of the findings by clicking Report -> Generate HTML report. The report includes:
The type of attack
A short description
The vulnerable link
The attack
The solution
References.
Once the vulnerabilities are confirmed or rejected, it’s report writing time.
Conclusion
OWASP ZAP is a great tool for those just starting out in application security. Or those needing to stand up a security assessment program. The instructions above are meant to just get someone started with using ZAP. Both ZAP and Burp Suite provide a lot of granular control of and customization of it's features and functions. But both are very simple to use. Both are well documented (check the more resources section below).
If $300 is within the budget, Burp Suite is the tool of choice by application security professionals. I've tinkered with Burp Suite, but for the most part I've used ZAP. Free is hard to beat, but it also came in handy working with developers. As I was implementing the security assessment program in my organization, I quickly discovered that the developers were interested in the tool. That probably had more to do with managements support of the program. Still, when the developers started asking questions on how I tested, I simply installed the tool on their system. From there I showed them my techniques for performing assessments. Now, I'm easily showing the developers how to run their checks of the application before it even reaches me.
I probably could do the same with Burp Suite, but I have a few more hoops to jump through with the $300 price tag. The community version does a lot of the same things the premium does. It's just throttled. Again, if you're sure application security is where you want to be $300 is not an insurmountable amount of money. If you're still feeling out the field ZAP works is the best bang for your buck.
More resources
Lanmaster53 - Tim Tomes (he provides training too)
The Web Application Hacker's Handbook 2nd Edition by Dafydd Stuttard
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - Twitter for intelligence
Twitter is a wonderful tool for getting live streaming information from around the world. This isn’t exclusive to information security. Sporting, political, entertainment, and other types of news first break on Twitter. It's also a valuable research tool and forum to discuss security topics. This can work to the advantage of a security team that embraces the social media platform.
I first discovered the value of Twitter when the Heartbleed news broke. Initially, we thought Heartbleed wouldn’t affect us. But after finding a free scan tool via Twitter we discovered that we were dead wrong. Unsure of how this was possible we started investigating. Twitter having served its discovery purpose now shifted into a research tool.
At the time everyone was discussing the vulnerability. There were plenty of links each uniquely analyzing and explaining the vulnerability. XKCD even had a great comic on it. After gaining a basic understanding of the vulnerability we needed to confirm our findings. After some more research, we found a tool for that purpose. Twitter wasn't the only tool we used (Google previously discussed was also used), but it did compliment our efforts for understanding, testing, and ultimately mitigating the vulnerability.
There are several ways a security team can setup Twitter. We ended up creating a brand new account. This allowed us to share the Twitter feed among ourselves and various devices. We then followed as many security professionals and companies as we could find. Hashtags like #infosec are a good place to start when searching for accounts to follow. Other hashtags that can be scouted for infosec accounts to follow include:
#appsec (application security)
#dtsr (podcast discussion hash tag)
#pentesting (red teaming)
#dfir (digital forensics, incident response)
and many more.
Twitter also provides the list feature for carving out accounts that focus on an individual discipline. Simply, create a new list and start adding people to it. The great thing about lists is that you don't have to be following the account to add it to a list. This is useful for organization and to keep work from invading your personal Twitter feed constantly (if you have one). Lists are able to be subscribed to, if there's a desire not to start a new account.
Tweetdeck and Hootsuite are two options for managing multiple Twitter feeds. They allow for multiple feeds to be displayed in the browser. I typically have my person feed, personal interactions, the security team feed, and then either a hashtag or list.
If you haven’t incorporated Twitter into your day-to-day monitoring, do it. It’s a powerful tool that leverages live information on news, discussions, and tools. It’s free (which makes it affordable) and it’s simple to use. Keeping a thumb on the pulse of information security is essential for any security team.
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - Google for research
Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.
At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.
As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).
Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:
Using “infosec tools” I get a different set of results:
The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.
This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”
The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:
That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.
There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:
The Ultimate Guide to the Google Search Parameters by Pete Wailes
We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.
This post first appeared on Exploring Information Security.
Blue Team Starter Kit - Introduction
I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.
My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.
LIMITED RESOURCES IS ONLY AN EXCUSE
Limited resources can be it’s own challenge.
“If only we could buy this appliance, all our problems would be solve.”
Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.
Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.
Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.
CHALLENGE #1 - Research
Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data
CHALLENGE #2 - Threat Intelligence
So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data
CHALLENGE #3 - Application Security
Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free
An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)
CHALLENGE #4 - Forensics
As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free
An alternative to this tool is Volatility. COST: Free
CHALLENGES #5 - Endpoint Security
Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free
CHALLENGE #6 - Patch Management
This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)
CONCLUSION
The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.
Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.
This post first appeared on Exploring Information Security.
DerbyCon talk and impressions
DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.
The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.
Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).
Below is the recording of my DerbyCon talk and a link to my slides.
I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.
I am very much looking forward to DerbyCon 2016
This post first appeared on Exploring Information Security.
BSides Augusta gallery and pictures
Media
The gallery for BSides Augusta can be found in my Photography section.
My Blue Team Starter Kit talk is available on YouTube.
Impressions
This was my second year attending BSides Augusta. As I've mentioned several times, this is one of the best run security conferences out there. You can tell pretty quickly that the organizers put a lot of effort and time into ensuring everything runs smoothly. This year was no different. I heard Mark Baggett tell one persont hat there were some minor hiccups in the morning. I didn't notice them. The only thing I could tell was that they overlooked the registration line. They had lines divided up into last name, but it was apparent entering the building.
Aside from that, everything else ran smooth for the conference. Speaking of attendance, the number reached 500 this year. That's up from 300 last year, which makes Augusta one of the bigger BSides events. The event is expected to grow even more as the Army continues to grow its cyber command at Fort Gordon.
I didn't get to sit in a lot of talks, but there seemed to be a pretty strong malware theme this year. Joel Esler's "2015 - It's Not Over Yet" and Wes Widner's "Lessons Learned from Analyzing Terabytes of Malware" are two such talks that stood out to me as I hoped from track to track taking pictures. But Paul Melson's "Viper Framework for Malware Analysis" and Alex Rymdeko-Harvey's "Malvertizing Like a Pro" are two more talks that deal with malware. I plan to go back through several of the session's at BSides Augusta after the baseball season is over.
If you live in the South East, I highly recommend BSides Augusta. Especially for security professionals working on a blue team. It's rare for a security conference to have two blue team tracks and I don't see that changing in the future. Put the event on your calendar for next year. I promise you won't be disappointed.
This post first appeared on Exploring Information Security.
Back from vacation: Trends 2015, DerbyCon, and podcast
Trends 2015
October 28, 2015, IT-ology will be hosting Trends 2015, which will focus on:
"...the overall digital transformation taking place in society and the associated security issues that come along with it."
The ColaSec group has been asked to help with promoting and finding speakers for the event. The call for presenters is now open. Here are the details:
IT-oLogy presents Trends 2015
Cybersecurity 2020: The Impact of Digital Business on Security
CALL FOR PRESENTERS NOW OPEN
Form to submit: https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod
What is Trends?
An IT-oLogy (www.it-ology.org) hosted annual conference focusing on technology issues and topics that are “trending” nationally as well as regionally/locally. Basically, it heightens awareness around issues that will impact the future of IT-oLogy partners, the local and regional community, and South Carolina in a big way. The conference is kicked off by a presentation from a Gartner analyst.
2015 Topic:
This year’s topic is the overall digital transformation taking place in society (everything is becoming ‘digital’) and the associated security issues that come along with it.
2015 Date/Location:
Trends will take place Wednesday, October 28 fro 9:00 am to 4:30 pm EST at IT-oLogy, 1301 Gervais Street, Columbia, SC 29201.
Call for Speakers:
The 2015 Call for Speakers is now open. We’re looking for talks in the following areas:
Digital Transformation
A massive “digital transformation” is taking place in society and the pace is only accelerating. Industries, as well as organizations and individuals, are being impacted in ways never imagined. What are examples of this transformation? How is it having an impact? Why is it important?
Security, specific to the following areas:
C level/Executive – security issues impacting executives at all levels (decision makers). Those topics executives should be aware of and know about.
Technologists – issues impacting those at a hands-on technical level. Target audience here will be technologists.
Citizen 101 – issues impacting everyday citizens. Things they should be aware of. Examples might include a very basic overview of how to encrypt email and/or attachments (most don’t have a clue), why changing passwords often is a must-do (and how to keep up with all those passwords), and other like issues.
Do you have a presentation? We’d like to hear from you! Please fill out the form and Todd Lewis (todd.lewis@it-ology.org) will respond!
https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod
DerbyCon
While on vacation last week, I was surprised to receive an email from the organizers of DerbyCon informing me that my Blue Team Starter Kit talk was accepted. I was a bit surprised to have my talk accepted, then I was a little terrified to be speaking at one of the biggest and well known security conference in the US. Now I'm really excited to be speaking at the event and I look forward to the experience of not only speaking at DerbyCon but attending the conference as well.
Which leads to my next point. I need to figure out a place to stay. If anyone wants to split a room, get in touch. Also, I'll be driving to Louisville, KY, from Lexington, SC, anyone in between is more than welcome to contact me about a ride. I will be heading to the conference on the 24th of September.
Exploring Information Security
I will be working on getting the podcast feed setup for the Exploring Information Security podcast, so I can submit it to iTunes and begin releasing episodes next week. Feedback and suggestions for future episodes are welcome.
This post first appeared on Exploring Information Security.
Prepare the patches
Two patches are coming down the patch management pipe starting today. First, Adobe is supposed to release yet another out-of-band patch for its flash player to address a zero day vulnerability discovered in the Hacking Team breach.
And on Monday OpenSSL announced they would be releasing a patch for a "high" severity vulnerability in OpenSSL versions 1.0.2d and 1.0.1p.
Hooray patches!
This post first appeared on Exploring Information Security.
Verizon Data Breach Investigation Report impressions
This is the first year I've read the full Verizon Data Breach Investigation Report. It was quite entertaining, but then again I'm into baseball and within baseball I'm into statistics. The report was easy to read, interesting, and informative and here are my impressions of the 70 page-ish report:
Threat Intelligence
Sharing threat intelligence is useful, but the strategy needs to be more, "going to the well" than "drinking from the hose." Think of the NSA's collection of information, which has been found to largely be ineffective at discovering attacks.
Phishing
Communications, legal, and customer service departments were all more likely to open a phishing email. There is no easy solution or magic wand that can make phishing go away. We need to focus on better filtering, developing and executing an ENGAGING and THOROUGH security awareness program, and improve detection and response capabilities.
Vulnerabilities
It's more effective to focus on getting a patch deployment strategy put in place, than trying patching systems as soon as a new patch is in place. Ten CVEs account for almost 97% of exploits observed in 2014. The ten:
According to this list, there is still a lot of vulnerabilities from the past that need to be patched. Getting a patching process in place is great for all the new stuff, but don't forget about all the old stuff that came out before the security team was in place.
Mobile
".03% of smartphones per week were getting owned by "high-grade" malicious code."
Android is the worst operating system (everyone saw that one coming) and, "most of the malware is adnoyance-ware and similar resource-wasting infections." This might change in the future, but for now it's not a huge area of concern.
Malware
My favorite line came from this section, "Special snowflakes fall on every backyard," which is in relation to "new" malware getting around anti-virus as being described as "advanced" or "targeted." Not the case according to the report. Malware is being given unique hashes to avoid detection by anti-virus.
Industry profiles
Each organization is unique, which is not earth shattering, but good to understand when looking at internal and external entities.
Impact
There is some supply and demand with data breaches: the higher the amount of records lost; the lower the cost of each record. Keep in mind records only tell half the story when it comes to the impact of a breach. There is fallout, not only within the company but outside it.
Incident classification patterns
96% of data breaches fall into nine basic pattersn:
POS Intrusions - 28.5%
Crimeware - 18.8%
Cyber-Espionage - 18%
Insider Misuse - 10.6%
Web App Attacks - 9.4%
Miscellaneous Errors - 8.1%
Physical Theft/Loss - 3.3%
Payment Card Skimmers - 3.1%
Denial of Service - .1%
These are all from the first half of the report. The other half of the report went into discussing each time of data breach and what we can learn. I highly recommend reading the whole report. Not only is it an easy read, but it gives great insight into the current landscape of breaches
This post first appeared on Exploring Information Security.
Protecting your computer from unwanted guests: Firefox with NoScript
In the final post of this series I'll look at my favorite tool, Firefox with the NoScript plugin. Firefox is a browser by Mozilla and NoScript is a plugin that can be installed on Firefox. What NoScript essentially does is blacklist all the "JavaScript, Java, Flash, and other plugins" running on websites. It also provides cross-site scripting (XSS) and clickjacking protection.
After downloading and installing Firefox, go to the NoScript site or plugin page and install it to Firefox. A reboot of the browser will be required, but NoScript will be up and running. Now comes the annoying part. Every website and every script running on that website will require your approval to run. This is great for avoiding malware and web ads, but means that a page might not run properly when you first visit it.
To allow a web page and some scripts that will be needed to perform functions on the web page, click on the NoScript icon, which is an 'S' with a prohibition sign. Click on the main web page and allow, this will provide some more functionality on the page as well as open up more scripts to unblock. And that's the tricky part figuring out which scripts to allow to run. A Google search can help with this, but sometimes it's just trial and error to allow the right script to get the function you want to run. If you get frustrated enough you can 'temporarily allow all this page,' 'allow all this page,' or 'Allow Scripts Globally (dangerous).' Allowing scripts globally will essentially disable the plugin and I would avoid if you can. Temporarily will allow as long as the browser is open and allow all this page will allow all the scripts on the page permanently. Some scripts might run on multiple sites, so allowing them once allows them for all websites.
This method of protection will require the most work on your part, but also provides the most security when browsing the web. Accidentally clicked the wrong link? No worries, the script that installed the nasty malware never had a chance to run. You'll also get to see all the useless crap companies put on their web pages.
This the final post in my series on Protecting your computer from unwanted guests. This was mainly to provide my brother a walkthrough for protecting his computers at work, but if any other security professionals would like to chime in with tips or other suggestion, I would love that.
This post first appeared on Exploring Information Security.
Protecting your computer from unwanted guests: EMET
One of the awesome under-publicized tools that does an awesome job of hardening a computer is Microsoft's Enhanced Mitigation Experience Toolkit or EMET for short. This tool helps vulnerabilities in software from being exploited. It's not foolproof and researches have found ways around it, but it is effective. I've seen it be effective first hand. The tool is easy to install and manage, but will require some action on your part.
Download EMET and run the install. As part of the installation select 'Use Recommended Settings' then click 'Finish' and 'Close.' Once installed, right click on the EMET icon in the bottom right corner of the screen or the box thingy that pops up by click on the triangle on the task bar. Ensure that Data Execution Prevention (DEP) is set to 'Always On,' Structured Exception Handler Overwrite Protection (SEHOP) is set to 'Application Opt In,' Address Space Layout Randomization (ASLR) is set to 'Application Opt In,' and Certificate Trust (Pinning) is set to 'Enabled.' And that is pretty much it. EMET is now running on your computer kicking ass.
Unfortunately, EMET also steps in and kicks the ass of a legitimate like its cousins Internet Explorer and Microsoft Office applications or some other program. To fix this look at the alert and look at what the program is being blocked for. Then click on the 'Apps' button in the configuration section and uncheck the box of the blocking action for that application.
For more information on the tool you can download the user guide with the EMET installation. Also, Windows Update will not keep EMET up-to-date and will require a manual download and installation of any new version releases.
This post first appeared on Exploring Information Security.
Protecting your computer from unwanted guests: software patching
Patching is an important part of protecting a computer from unwanted guests. It is that process where we like to hit 'Install later' when a new patch becomes available.
Windows updates should be straight forward and already set to automatically run when new patches come in. To check that this is in fact the case do the following:
Click Start -> Control Panel -> Windows Update. On the left hand side click 'Change settings.' In the 'Important updates' section click the drop down and select 'Install updates automatically (recommended).' Set a date and time. Mine are set to 'Every day' and at '3 a.m.'
For all non-Microsoft software use Secunia Personal Software Inspector (PSI). This is a free tool for home (commercial is paid) use that goes out and grabs and installs all the updates for most of the third party software installed on a machine. Some updates will require manual installation, but most won't require any action from you at all. Simply download, install, and forget. Well, except for the manual installs that should be checked for every once and a while.
This post first appeared on Exploring Information Security.
Protecting your computer from unwanted guests
My brother and I in Holland, in a big ass clog, keeping out feet protected from bad...things.
My brother recently contacted me about an incident involving a tech support scam. Luckily, the scam was caught before anything serious happened and one good thing came out of the episode, which leads me to this post and the next few posts. I will be going over some of the tools that can be used to keep unwanted guests out of a computer. All the tools I will be talking about are free, but will require some configuration and thinking.
Tools
Here are the four tools I recommend for avoiding those nasty Internet Transmittal Diseases (ITD):
Microsoft Security Essentials - Anti-virus
Secunia Personal Software Inspector (PSI) - Software patching
Microsoft Enhance Mitigation Experience Toolkit (EMET) - Computer hardening
Mozilla Firefox with NoScript plugin - Safe browsing
BONUS: Turn on click-to-play in browsers
I want go in-depth on Microsoft Security Essentials and turning on click-to-play in browsers. For Security Essentials, go to the download page, download, and install. Simple as that. There aren't many settings for the anti-virus program and that's a good thing. Anti-virus is largely mocked within the infosec community, because it's easy to circumvent, and that includes the $40-60 big name anti-virus companies of the world. Still, it has saved my bacon a time or two and worth installing, especially if it's free like Security Essentials.
I covered click-to-play in my last post and provided a link to a pretty good article that goes through how to turn on click-to-play in all the browsers. No need to reinvent the wheel, so here's the link again. Click-to-play is easy to turn on and easy to get used to and helps with computer performance.
If any of the posts are unclear are you have a questions, please leave a comment or contact me directly.
This post first appeared on Exploring Information Security.