Impressions from BsidesPhilly

cropped-bsidesphilly_black_720The first BSides conference in Philadelphia was a major success.  Hats off to Ryan Knox and his team.  It was well planned and executed.  A real homerun in my book.

For me, this had a different context.  It was my first security conference – ever.  My first BSides – ever.  It was also my first presentation, outside of internal company meetings and conferences – ever.  My impressions and expectations where wildly mismatched.  I’ve come away with a different perspective on the infosec community – what it is and what it will become.

1. Infosec has a Big Tent

On the surface, the community as a whole can be broken down into “red teamers” and “blue teamers.”  As additional layers were revealed to me, it’s far more diverse than that.  Of the presentations I attended, I learned how to hack Outlook, hack humans, ask permission to break things and what APRS is.  The conversations where just as diverse.  I spoke with people with a passion for drones, how writing pen testing reports is an art (spoiler alert: don’t copy and paste) and how rolling  your own crypto is a bad idea.

My impression is that the Infosec community is full of polymaths.  These are people that master or dabble in multiple disciplines /domains.  No one person is the same.  Everyone brings something different to the table.  That’s the beauty of it all. While some topics might be fundamental in nature, (a) if you don’t dabble in that domain, you learn and (b) the individual brings the material to life; differentiates in their space.

2. Community of Sharing

You would think that a bunch of Infosec specialists would be tight lipped.  Nope.  They share — big time. Ask them about their experience in a space — done.  Tools to use — no problem.  Best way to script a pen test with Powershell — let me show you.  Career advice for those staring out — let me see your resume.  Now ask them about what they are currently working on  — no comment.  They seem to be more tight lipped when it comes to clients and employeers. :][

On top of that, the BSidesPhilly team sponsored a non-profit organization.  They were able to raise funds via donation and open auction for Hackers for Charity.  Hackers for Charity improves the living conditions for third world countries via technology like Uganda.

3. We’re Still Young

If information security were a person, we’d be a 12 year old.  Bright eyed and excited, willing to take on the world.  Full of passion to address the coming security challenges.  When I was twelve, I remember hearing some of the world’s best advice , yet never following it.  The unique opportunity is Infosec is a relatively new domain.  There  are still generations of truths to help us out.  Years of advice to call on.  Frameworks laying the foundation of Infosec for years to come.  We just have to listen and learn.  Say the words out loud in our own voices.

This is why Bsides is so important.  It’s a forum for people of all security domains to slap another layer of mortar and bricks onto the foundation.  A place to lend a hand to pull the rest of team up with you.    A place to whisper “old” ideas and scream out the new.

Thanks, BsidesPhilly.

When you have some time, check out my talk on security metrics – Size Doesn’t Matter.

Where are they now?

It’s strangsuccesse how things work sometimes.  It feels like eons since I’ve posted here.  When I started this blog, I aimed at exploration.  Trying, succeeding….  technically failing.  This in essence, just trying is success.  Being brave enough to start the journey is a win.  Half of life is showing up.

The other half is being yourself.  Like Bruce Wayne with the League of Shadows, I went away for a while to learn what I didn’t know…to unlearn what I did know.  Search for the colors inside the outline.  In the process, I found the something I needed.

Over the last year, I finished my CISSP certification, performed my first open mic poetry slam, ran the Broad Street run (9 min/mi) and changed my job of 9 years.  And that was by June.  Since then, I’ve been getting comfortable in this new skin.

With that, I’m happy to announce that I’ll be speaking at the first ever BsidesPhilly.   Damn it feels good.  Hope to see you there.

Making Knowledge Based Authentication (KBA) Work!

Many people are familiar with knowledge-based authentication (KBA), but probably not by name.  You know it when you visit your bank site and you have to tell them the name of your pet in order to get in.  Sound familiar now?

Authentication is broken down into three forms:

  1. Something you have – grid card, cell phone, dongle
  2. Something you know – password, answers to questions, personal information
  3. Something you are – fingerprint, eye retina

Using more than one form of authentication is known mult-factor authentication.  KBA is “something you know” and in conjunction  with using a password increases the strength of authentication.  KBA is then further broken into two more categories:

  1. Static – these questions are setup during registration and rarely change.  Example: What is your favorite ice cream?
  2. Dynamic – these change often based on activities or transactions you may have recently conducted.  Example: How much was the last purchase on your credit card?

For this discussion, I’ll focus on Static KBA.  In theory, Static KBA is great way to increase authentication strength.  In addition, you could reduce the number of helpdesk tickets and increase the productivity of employees and third-party partners.  While there are immediate benefits, there also are several challenges to implementing this properly.

Question Selection

This may seem like a slam dunk, but — selecting the questions for your KBA implementation is the single most important item you’ll have to cover.  With the advent of social media, previously private information is now semi-public.  What’s the name of your favorite pet?  I’m sure someone in your social circle can track it down.  GoodSecurityQuestions.com created a great framework for developing KBA questions.  These guidelines are to help you form questions that are Safe, Stable, Memorable and Definitive (SSMD).    A full guide on following these guidelines can be found here.

Policy Implementation

Gartner touted that User Experience (UX) is a major factor in how customers interact with companies online.  The first impression of your customer’s UX is set with your authentication policies.  Here are the key considerations when forming a KBA policy.

  • Number of Questions During Registration
  • Number of Questions During Authentication
  • Number of Tries Before Lockout
  • Case Sensitivity of Answers
  • Answer Length
  • Soundex Matching for Misspellings

Here is a list of “gotchas” that also need to be built into your policy.

  • Same Answer for Multiple Questions
  • Answer can’t be a word from the question
  • Answers can’t be PII – name, SSN, etc.
  • Answers should be limited to one word

The last word on policy implementation is to implement the same KBA repository across multiple platforms.  Having users register for multiple questions, multiple times defeats the purpose of implementing this in the first place.

Static KBA can’t be “Static”

LexusNexis and other knowledge brokers were recently breached.  The extent of what information was disclosed during this time if still unknown.  As more private and semi-public information goes public on the internet, hackers are busy building ways to monetize your personal information.    This coupled with information stolen from Knowledge Brokers is a sure fired recipe for identity theft.

Be vigilant and audit your authentication policies every three months or when an adverse event occurs.  This will allow you to be agile in how you respond to market conditions.

Privileged Identity Management – Part 1

Data, data everywhere but you have no time to think.  One of an enterprises most important assets is it’s data.  Financial, intellectual property and employee information are all types of information that competitors and hackers, alike,  clamor to get there hands on.  Making sure only those who need this information to do their jobs is known as Access Control.    Implementing access controls are critical to  safeguard your data.  But what about those ITs folks who show up to every employee gathering and eat all the pizza?  How they fit into this?

The enterprise environment is split into multiple layers — Network, Database, Application and Infrastructure.  At each one of these layers, IT associates manage and maintain performance to make sure business can be conducted, uniterrupted.  A byproduct of this responsibility is having access to all of businesses most sensitive data.   If you are a CEO or business owner, I can hear your collective, “Yikes!!!”  So what is a gal/guy to do?  Enter Privileged Identity Management.

Privileged Identity Management 

Privileged Accounts (PA) are non-user accounts that grant elevated access to systems, resources and data.  These are your Administrator, Root and Super User accounts.  They are typically shared among support personnel to perform administrative duties.  Our pizza eating friends just when from Petty Cash Piranhas to true Enterprise Risk.

Risks

As with all life’s activity, there is some level of risk involved.  This case is no different.  Having specialized labor perform a specific job or function is a huge benefit.  But be aware — you’re handing over the keys to the kingdom.  Understanding each risk / benefit proposition is the first step to proper mitigation.  I’ve highlighted some key risks to focus on:

  1. Lack of Audit Trail – PAs are essentially anonymous accounts.  They lack association to a “real” user.  This allows actions performed under this account, virtually, no accountability.   It’s like free calories while on a diet.
  2. Access Leakage – Since passwords for PAs are shared amoung several people, they tends to leak out of Administrative groups over time.  With management of hundreds or thousands of accounts, the password for one account may very well be the password for EVERY ACCOUNT.  If you know one, you have them all.  To top it all off, without good password management practices like changing them periodically, the situation snowballs out of control quickly.
  3. Segregation of Duties (SOD) – PAs have access to sensitive information in the enterprise.  In most cases, this data is Confidential or Classified.  PAs inherently lack SOD controls (they have access to EVERYTHING).  Misuse can go completely unchecked.  Insert a Purchase Order into a database for “Line My Pocket Co.”  AND then insert the approval for payment.  Easy money…check’s in the mail.
  4. Principle of Least Authority (POLA) – POLA asserts that granting only the access required to perform a task, one can’t overstep their bounds.  Some administrators use PAs to perform daily activities that do not require the the vast authority these accounts wield.  One small error in scripting could invoke monstrous unintended consequences.  Say the admin just forgot they were in same directory as your ERP database.  They then issue a delete command. POOF!  Bye-bye data.

I’ve just highlighted some of the inherent risks of utilizing PAs.  Not to worry thou, there are strategies for to minimize, mitigate and in some cases, eliminate these risks.  In my next article, I will explore practical solutions for you implement.  Eating too much will be the only reason to give IT the “hairy eye” at the next pizza party.

 

 


Google Two-Step Authenication

For those of you looking to add extra insurance on protecting yourself from hackers and other miscreants, Google has the answer: Two-Step Authentication and Application Specific Passwords.

Two-Step Authentication

To get started, you have to enable Two-Step Authentication Page in your Google Settings.  This can be done here:

image

You’ll be asked to send a verification code to your Mobile Phone via SMS (text) or Voice Call.  Once you enter the verification code from Google, Two-Step will be enabled.  Now when you need to log into your Google Account on a Web Browser, Google will ask you for the verification code sent to your Mobile Phone:

image

If you are on a trusted computer, like a home laptop, be sure to check of the “Remember this computer for 30 days.”  This will provide a balance on security and usability.

Application Specific Passwords

Sliced bread may have been the marvel of the 19th century, however, an application specific password is a very close rival.  Application Specific Passwords enable you to create unique passwords for different devices and programs that need your Google account to function.  For instance, if you have an Android-Based Phone, you’ll need a Google Account.  Instead of using your normal Google Account password, you can generate a unique password just for this device.

1. To enable, go to your Account Settings and go to Authorizing Applications and Sites”

image

2. Enter a Device Name and Click on Generate Password:

image

3. Take the password generate and put this in your Device.

image

You are now safe and secure!  You have now gained the benefit of a powerful control to protect yourself from stored browser sessions and stored passwords on multiple devices.

Please note: if you have Android Tablets/Phones, Google TV, Google Accounts on your iPhone or Picasa/Outlook on your Desktop, you will now need to configure Application Specific Passwords for these, as your “normal” account password will no longer work.

Revoking Access
If your phone is every lost or stolen, you can now revoke access by logging into you Google Account and clicking on Revoke.

image

Stay safe.  Stay Secure.  Stay in Control.  Enjoy!

The Cure is Also Killing You

So you’ve successfully implemented End-Point Protection, Vulnerability Assessments, Identity Management,  Application Monitoring, Log Management, Event and Incident Management and Compliance Auditing…now what?

You may find yourself overwhelmed with managing and maintaining you’re current Security Service portfolio while attempting to assess new threats to your organization.  I’ll provide some tips on how to not only stay afloat, but maximize your return on security investment (ROSI).

1. Keep With Your Core

Have you ever looked around your house while dicing an onion?  I have and two stiches and a hospital visit later, I learned a valuable lesson about focus.  The minute you take your eye off the ball, the reality you were feverously engulfed in, completely disappears.  Like every shinny new MBA grad student will tell you, stay with your core competency if you want to survive and thrive.  The same can be true when discussing your Security Service Portfolio.  Mastering the service you are providing takes dedication and buy in from you and your organization before you can convince the business to invest in more services from you.  (Translation: they are investing in you).

2. Staff Appropriately

Boats don’t sail on their own.  You need a crew all rowing in the same direction to make it move.  Standing up a new program means that staffing is critical.  The activities they will be performing in the next year should translate into what percent of a Full Time Employee (FTE) you will need to succeed.  Here I use the SIMA method to estimate the time.

  • Support – this will cover break fixes, helpdesk tickets, knowledge base articles and training.
  • Innovate – these are your “big swings” that have a have large scope, influence the entire “system” and will pay high returns.  For instance, correlating event data across security safeguards to build a security intelligence database (SID).
  • Maximize – process optimizations that improve efficiency and therefore, returns on your investment.  For instance, automatic incident tickets for unmitigated malware.
  • Audit – routine checks on access control and overall system health.

3. Know What To Drop

Like you’re collection of Olympic Wheaties cereal boxes, sometimes you have to let  things go.  If you are working on a game changing new security innitiatve and don’t have the funds to staff, moving a difference service in maintain mode may be your best bet.  Be sure to pick out a mature area with mid- level visibility.  Don’t forget the A in SIMA.  Plan on scheduling a monthly / quarterly audit to keeps tabs on progress.

4. Have Fun

While Information Security may put you in high pressure situations, make sure you’re having fun.  Positive attitude translates into positive outcomes.  Adding some levity to the grid will have a positive affect on you and your team.

Passwords Are Like Snowflakes…

…everyone is unique, precious and can never be duplicated.  If only those words were true.  Passwords and the management of them, continue to be the weak link in authentication to both enterprise and personal systems.  I’m going to cover a couple of methods on how to effectively manage passwords and why it may be one of the most important things you do.

Protecting passwords can be broken down into two categories, namely, Password Strength and Password Management. 

Password Strength

Password Strength deals with the complexity of the passwords that you choose.  Having a stronger passwords, makes it harder for your password to be guessed or cracked in a brute force attack. The lockdown site has a great matrix effectively showing the importance of password complexity.  While complex passwords are great in theory, maintaining these can be a pain in the membrane.  I would like to think that as we push ourselves into the next century, humans will evolve to remember 22 alpha-numeric codes to protect ourselves.  That being said, my own experience indicates that I’m still a monkey at this point of that evolution.

Below is a small graph indicating as you create stronger passwords, the ability to remember these passwords becomes increasingly difficult.

 

image

 

What would a normal person do to address this?  Perhaps create one complex password and use it on all of services they have membership to?  …or maybe just create really simple passwords.  Neither methods are particularly effective.  Would you use the same key to unlock your car, house, garage, P.O. Box and safe?  Not likely.  If you lost your key, all of those physical assets would be at risk of compromise.  Likewise, protecting those assets with a lower quality lock to would present and ineffective control mechanism.

When I was at this point in own evolution, I used the strategy to create “theme” based passwords.  For example, I would choose something like “Last Names of Presidents of the United States”   Then I would use the widely accepted convention of replacing “e”, “i”, “o”, “a”, “s” with “3”, “1”, “0”, “$”, “@”, respectively.  So a password like “Washington” would be converted to “W@sh1ngt0n”.  It worked for a while, but the explosion of web based services I use has pushed this to limits of my abilities.  Which brings me to my next point, Password Management.

 

Password Management

Password management has evolved from simply having to remember your one email account on your ISP to having to cram in your Amazon, Bank, Email, Credit Card, eBay, Paypal, Gmail and Work Authentication passwords.  You get the picture. 

I asked a security-minded friend recently about their password management strategy and they said they had a USB drive containing all their passwords locked in a safe.  This sound secure to me, however, it’s definitely not convenient.   This makes me think of overprotective parents wrapping their kids in bubble wrap before going out to play.    Little Timmy WILL NOT be hurt…but how the hell will he swing a baseball bat?

Luckily, new applications and services have evolved to meet these needs.  The one I’ve used the most is LastPass.  They have a robust cross platform strategy of web browser plugins to store all of your passwords.  All of your passwords are protected with one password and encrypted on their servers.  Hence the name, LastPass….they claim it’s the last password that you’ll ever have to remember.  While this seems like a risky proposition, choosing a complex password for this service is paramount.  Just don’t lose it!!! (or forget) Smile

LastPass offers an integrated customer experience in your browser with secure password generation for new accounts, auto filling of your credentials for existing accounts and secure note functionality.  In addition, if you want to spring for the premium version ($12/year), you can use it on mobile devices and enable the ability for two factor authentication (which I’ll talk about later). 

Another strong contender, which I’ve briefly used, is KeyPassX.  They offer all of the same features, however, their cross platform strategy is a local application that stores an encrypted database on your local machine.  Choosing comes down to: do you want to trust LastPass as a steward of my password information in the cloud or do I prefer to manage my database locally.  There are compelling arguments for each, but at this point, I’ll leave it at personal preference.

So What Do I Do Now?

Take Inventory
1. Make sure you collect (or recollect) the credentials of every web site you regularly use authenticate on.
2. Dig deep to remember sites that your may have signed up on to post a question, win a contest, register a product on, etc.  All of these sites will have some reset password or remember password functionality.  Use them to get your credentials.

Take Action
1. Decide on a password management strategy that you are comfortable with (LastPass or KeyPassX).
2. Store all of your credentials in your password manager.
3. Reset all of your web site passwords using the secure password generation tool in your password manager.

Notes:
1. Make sure you choose a master password for your password management tool that you can remember.  Losing this will render your data inaccessible.
2. Make sure you change your passwords at the very least, twice a year.

2011 Personal Security New Year’s Resolutions

Introduction

So another year has come and gone and another list of personal resolutions start cropping up on the Internet like remixes of the “BED INTRUDER SONG”.  This one is no different.  In a year that has showed that Stuxnet virus could potentially harm people in the real world by affecting infrastructure and DDOS attacks both allied and against Wikileaks emerge as a form of “hacktivism”, taking a look at resolutions for information security in your personal life should resonate.  I’ve comprised a short list of resolutions to consider for the new year to protect yourself.  The playbook for each is simple: Take Inventory and Take Action.

1. Data Protection

Take Inventory
Knowing is half the battle (or so G.I. Joe and his marketers want you to think).  Understanding what information you store on your computer and Internet will give you a better understanding on how to protect it.  The following categories are a guideline to follow.  You can add in classifications as necessary.
Personal – Information that you would not share with anyone outside of your family or immediate social circle.  Think photographs, videos, drawings and poems.

Private – Any information that if compromised, could reveal personal information about yourself that you do not share with anyone.  This type of information could be used in conjunction with publicly available data sources to attempt to steal your identity.

Classified – Any information that if put in the wrong hands, could comprise your well being.  Think financial information, social security numbers, investments and tax returns.  This is the most prized possession for an identity thief to access since little additional information is required to steal your identity.
Take Action
Now that you understand the type of data you possess, it’s time to put countermeasures in place to protect your data.

A Brave New World (For Me)

The last time I shared anything meaningful on the internet was when Prodigy and AOL were king of the hill.  I remember being engaged in a discussion board on why paying $22 for a Ken Griffey Jr. Rookie card was a waste of money.  Especially, when I couldn’t buy one for less then $30 at the time.

Since that time, I’ve decided to purposely exclude myself from an maintaining an online presence.  No bulletin boards, blogs, Facebook or  Twitter.  I figured the less anyone knows about me, the better.  However, something recently changed in me.   While I would normally keep all of my thoughts, trials and successes in my head, I felt a grumbling deep inside of me.  I mean, I’ve always had a yearning to mentor, tutor and share, but recently, this yearning has been growing stronger and louder.  Each passing day my internal compass was getting much more difficult to ignore.

Since I do not currently have the time fulfill this need on a one-on-one basis in my personal life, I figured sharing this via a blog would be the next best thing.    My interests are vast.  They span from Asymmetric Key Encryption to the zen of the movie Zoolander.   So the subject matter I cover will be very eclectic.

This premise of this blog boils down to one thing.  That we all have a need to explore our world in an experimental manner.  My intentions are to share this process with you on all topics and subject matters I encounter.  I may not always succeed in my endeavors.  In fact, I’ll technically be failing most of the time.  And that’s alright.  I’m making a light hearted attempt to share the path to success (while hitting some bumps along the way).

So the motto here will be this:  We’re Always Trying; we’re Sometimes Succeeding; however, we’re Technically Failing.   I hope you enjoy.