How to build a home lab links

NSA TAO Chief Rob Joyce on network defense

The above video is from the USENIX Enigma conference, in which Rob Joyce, Chief, Tailored access Operations, of the National Security Agency spoke. He spoke from the attackers perspective and gave some best practice advice and recommendations. Those that have been in the information security perspective for any extended period of time won't be surprised, but it's worth repeating.

I would recommend watching the video. It's only about 35 minutes long. If you don't have the time here are some notes I took on the talk.

BEST PRACTICES

  • Perform a third-party penetration test

  • Fix the items in the penetration test report

  • "You have to be continually defending and improving"

  • Understand the normal baseline for the traffic on the network

  • Monitor the network

  • Least privelege

  • Network segmentation

  • Enable and audit logs

  • Application white-listing (at the very least do high risk assets)

  • Anti-virus - reputation services

  • Incident response plan

 

RECOMMENDATIONS

This post first appeared on Exploring Information Security.

Verizon Data Breach Investigation Report impressions

This is the first year I've read the full Verizon Data Breach Investigation Report. It was quite entertaining, but then again I'm into baseball and within baseball I'm into statistics. The report was easy to read, interesting, and informative and here are my impressions of the 70 page-ish report:

Threat Intelligence

Sharing threat intelligence is useful, but the strategy needs to be more, "going to the well" than "drinking from the hose." Think of the NSA's collection of information, which has been found to largely be ineffective at discovering attacks.

Phishing

Communications, legal, and customer service departments were all more likely to open a phishing email. There is no easy solution or magic wand that can make phishing go away. We need to focus on better filtering, developing and executing an ENGAGING and THOROUGH security awareness program, and improve detection and response capabilities.

Vulnerabilities

It's more effective to focus on getting a patch deployment strategy put in place, than trying patching systems as soon as a new patch is in place. Ten CVEs account for almost 97% of exploits observed in 2014. The ten:

  1. CVE-2002-0012 - SNMP

  2. CVE-2002-0013 - SNMP

  3. CVE-1999-0517 - SNMP

  4. CVE-2001-0540 - Memory leak

  5. CVE-2014-3566 - POODLE

  6. CVE-2012-0152 - RDP

  7. CVE-2001-0680 - Directory traversal

  8. CVE-2002-1054 - Directory traversal

  9. CVE-2002-1931 - XSS

  10. CVE-2002-1932 - Log deletion

According to this list, there is still a lot of vulnerabilities from the past that need to be patched. Getting a patching process in place is great for all the new stuff, but don't forget about all the old stuff that came out before the security team was in place.

Mobile

".03% of smartphones per week were getting owned by "high-grade" malicious code."

Android is the worst operating system (everyone saw that one coming) and, "most of the malware is adnoyance-ware and similar resource-wasting infections." This might change in the future, but for now it's not a huge area of concern.

Malware

My favorite line came from this section, "Special snowflakes fall on every backyard," which is in relation to "new" malware getting around anti-virus as being described as "advanced" or "targeted." Not the case according to the report. Malware is being given unique hashes to avoid detection by anti-virus.

Industry profiles

Each organization is unique, which is not earth shattering, but good to understand when looking at internal and external entities.

Impact

There is some supply and demand with data breaches: the higher the amount of records lost; the lower the cost of each record. Keep in mind records only tell half the story when it comes to the impact of a breach. There is fallout, not only within the company but outside it.

Incident classification patterns

96% of data breaches fall into nine basic pattersn:

  1. POS Intrusions - 28.5%

  2. Crimeware - 18.8%

  3. Cyber-Espionage - 18%

  4. Insider Misuse - 10.6%

  5. Web App Attacks - 9.4%

  6. Miscellaneous Errors - 8.1%

  7. Physical Theft/Loss - 3.3%

  8. Payment Card Skimmers - 3.1%

  9. Denial of Service - .1%

These are all from the first half of the report. The other half of the report went into discussing each time of data breach and what we can learn. I highly recommend reading the whole report. Not only is it an easy read, but it gives great insight into the current landscape of breaches


This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests: Firefox with NoScript

In the final post of this series I'll look at my favorite tool, Firefox with the NoScript plugin. Firefox is a browser by Mozilla and NoScript is a plugin that can be installed on Firefox. What NoScript essentially does is blacklist all the "JavaScript, Java, Flash, and other plugins" running on websites. It also provides cross-site scripting (XSS) and clickjacking protection.

After downloading and installing Firefox, go to the NoScript site or plugin page and install it to Firefox. A reboot of the browser will be required, but NoScript will be up and running. Now comes the annoying part. Every website and every script running on that website will require your approval to run. This is great for avoiding malware and web ads, but means that a page might not run properly when you first visit it.

To allow a web page and some scripts that will be needed to perform functions on the web page, click on the NoScript icon, which is an 'S' with a prohibition sign. Click on the main web page and allow, this will provide some more functionality on the page as well as open up more scripts to unblock. And that's the tricky part figuring out which scripts to allow to run. A Google search can help with this, but sometimes it's just trial and error to allow the right script to get the function you want to run. If you get frustrated enough you can 'temporarily allow all this page,' 'allow all this page,' or 'Allow Scripts Globally (dangerous).' Allowing scripts globally will essentially disable the plugin and I would avoid if you can. Temporarily will allow as long as the browser is open and allow all this page will allow all the scripts on the page permanently. Some scripts might run on multiple sites, so allowing them once allows them for all websites.

This method of protection will require the most work on your part, but also provides the most security when browsing the web. Accidentally clicked the wrong link? No worries, the script that installed the nasty malware never had a chance to run. You'll also get to see all the useless crap companies put on their web pages.

This the final post in my series on Protecting your computer from unwanted guests. This was mainly to provide my brother a walkthrough for protecting his computers at work, but if any other security professionals would like to chime in with tips or other suggestion, I would love that.

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests: EMET

One of the awesome under-publicized tools that does an awesome job of hardening a computer is Microsoft's Enhanced Mitigation Experience Toolkit or EMET for short. This tool helps vulnerabilities in software from being exploited. It's not foolproof and researches have found ways around it, but it is effective. I've seen it be effective first hand. The tool is easy to install and manage, but will require some action on your part.

Download EMET and run the install. As part of the installation select 'Use Recommended Settings' then click 'Finish' and 'Close.' Once installed, right click on the EMET icon in the bottom right corner of the screen or the box thingy that pops up by click on the triangle on the task bar. Ensure that Data Execution Prevention (DEP) is set to 'Always On,' Structured Exception Handler Overwrite Protection (SEHOP) is set to 'Application Opt In,' Address Space Layout Randomization (ASLR) is set to 'Application Opt In,' and Certificate Trust (Pinning) is set to 'Enabled.' And that is pretty much it. EMET is now running on your computer kicking ass.

Unfortunately, EMET also steps in and kicks the ass of a legitimate like its cousins Internet Explorer and Microsoft Office applications or some other program. To fix this look at the alert and look at what the program is being blocked for. Then click on the 'Apps' button in the configuration section and uncheck the box of the blocking action for that application.

For more information on the tool you can download the user guide with the EMET installation. Also, Windows Update will not keep EMET up-to-date and will require a manual download and installation of any new version releases.

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests: software patching

Patching is an important part of protecting a computer from unwanted guests. It is that process where we like to hit 'Install later' when a new patch becomes available.

Windows updates should be straight forward and already set to automatically run when new patches come in. To check that this is in fact the case do the following:

Click Start -> Control Panel -> Windows Update. On the left hand side click 'Change settings.' In the 'Important updates' section click the drop down and select 'Install updates automatically (recommended).' Set a date and time. Mine are set to 'Every day' and at '3 a.m.'

For all non-Microsoft software use Secunia Personal Software Inspector (PSI). This is a free tool for home (commercial is paid) use that goes out and grabs and installs all the updates for most of the third party software installed on a machine. Some updates will require manual installation, but most won't require any action from you at all. Simply download, install, and forget. Well, except for the manual installs that should be checked for every once and a while. 

This post first appeared on Exploring Information Security.

Protecting your computer from unwanted guests

My brother and I in Holland, in a big ass clog, keeping out feet protected from bad...things.

My brother and I in Holland, in a big ass clog, keeping out feet protected from bad...things.

My brother recently contacted me about an incident involving a tech support scam. Luckily, the scam was caught before anything serious happened and one good thing came out of the episode, which leads me to this post and the next few posts. I will be going over some of the tools that can be used to keep unwanted guests out of a computer. All the tools I will be talking about are free, but will require some configuration and thinking.

Tools

Here are the four tools I recommend for avoiding those nasty Internet Transmittal  Diseases (ITD):

  • Microsoft Security Essentials - Anti-virus

  • Secunia Personal Software Inspector (PSI) - Software patching

  • Microsoft Enhance Mitigation Experience Toolkit (EMET) - Computer hardening

  • Mozilla Firefox with NoScript plugin - Safe browsing

  • BONUS: Turn on click-to-play in browsers

I want go in-depth on Microsoft Security Essentials and turning on click-to-play in browsers. For Security Essentials, go to the download page, download, and install. Simple as that. There aren't many settings for the anti-virus program and that's a good thing. Anti-virus is largely mocked within the infosec community, because it's easy to circumvent, and that includes the $40-60 big name anti-virus companies of the world. Still, it has saved my bacon a time or two and worth installing, especially if it's free like Security Essentials.

I covered click-to-play in my last post and provided a link to a pretty good article that goes through how to turn on click-to-play in all the browsers. No need to reinvent the wheel, so here's the link again. Click-to-play is easy to turn on and easy to get used to and helps with computer performance.

If any of the posts are unclear are you have a questions, please leave a comment or contact me directly.

This post first appeared on Exploring Information Security.