Saturday, August 11, 2012

Week 10: Lessons learned

Current Trends in Cybersecurity, Week 10,  lessons learned.

Looking back, this class seemed to fly by, yet was one of the most taxing classes I've taken so far.  When the class first started and we were given the option to go at it without a textbook, I thought: "Well, this should be a pretty easy class if a book isn't even required," nothing could have been further from the truth.  So, right off the bat if I had to revise my approach, I would have definitely ate the cost and purchased the book sooner than I had.

The biggest issue I had with this class was trying to narrow the scope of my work; I found myself jumping between NIST guidance, referencing CISSP material, and following guidance in my penetration test material, and basically found myself fighting self-inflicted scope creep and found myself spending way too many nights up at 3am just short of banging my head on my keyboard in frustration.     

To do over again, I'm sure I could deliver a better final product, but to be quite honest, I'm not sure that I would do it any differently -- I am sure the amount of reading and research I've done over the last 10 weeks will pay off in spades in the long run.   

Lesson learned, there may be a dozen ways to skin a cat, but in a project like this, pick ONE model and go with it; don't mix it up or it becomes hard to handle as the project grows.  At work we follow NIST guidance exclusively, so it's easy to follow a blueprint and get from A-to-Z.  I could have gone that route and saved myself a lot of headaches, but in the end, I think I've learned more by stepping out of my comfort zone and trying to recreate the wheel.

Sunday, August 5, 2012

Week 9

Having wrapped up week 9 of Current Trends in Cybersecurity, it's hard to believe we're only a week away from being done with this term!  It's been quite a challenge packing 12 weeks of study into 10, especially these last couple of weeks.  I've been revisiting a lot of my CISSP material for this course, as there's a lot of overlap. 

My home testbed is all but covered in cobwebs, as I haven't had the time to play with all the reading I've been doing these last couple of weeks. 

It's a real challenge to keep the size of these documents down to a manageable size for the class, I'm finding myself picking and choosing what to add and what to dismiss because otherwise the final product would be massive; unfortunately I feel that my deliverable products seem a bit lackluster because of that fact, but I'm sure my peers are not interested in reviewing a gargantuan document.

We're in the final stretch, I'm looking forward to hearing what my peers have to say about my final project, and eager to make corrections, tidy it up and be on my way to the next hurdle; only 4 classes to go until this degree is in the books.

Sunday, July 29, 2012

Lights, Camera, Action Plan!

Week 8 of 'Current Trends in Cybersecurity' has us working on a Threat Action Plan for the fictional Harry & Mae's organization.  This week I am to reflect on the hardest part of working out the Action Plan.

For me the hardest part of working on the Harry and Mae Case Study to provide threat, vulnerabilities, and risk analysis is trying to find the happy medium of demonstrating that I understand the material without going overboard.  Done properly (as if Harry & Mae's were a true world client), the Threat Action Plan would likely be somewhere in the ballpark of 80 pages long.

There are a lot of references out there to draw from, to include NIST pubs and CISSP material, but  my biggest problem is trying to grasp what is really required for these assignments.  I could spend another 40 hours sifting through NIST documents, and another 40 hours using ALE (SLE * ARO) calculations to present something that demonstrates a strong grasp of how to approach this case study, but I'm not sure if something along those lines are required, or if it'd be overkill. 

The material for the other class I'm currently enrolled in (Ethical Hacking and Response) is very familiar, so it frees me up to really focus on this class.  Again, the challenge for me this week is to know where to draw the line on identifying threats/vulnerabilities/risks; for example, identifying threats/vulnerabilities/risks associated with a Cisco Nexus 7000 Switch could take a week by itself, so I've opted to provide a few simple examples for each area I'm addressing and hope that it's enough to meet the requirement and demonstrate that I have a grasp of what we're attempting to achieve.

Sunday, July 22, 2012

Technical Aspects of CyberSecurity


There's a plethora of Cyber Security tools available on the Internet, but I've come up with a top 10 list of my favorite tools which I feel are beneficial for any Cybersecurity Professional.

·         The Cyber Security Evaluation Tool (CSET):  A Department of Homeland Security (DHS) that aids organizations in protecting their cyber assets.  Loaded with a variety of standards (NIST, NERC, ISO, DoD, etc), that can be selected and used to scan security assurance levels of systems.  The software generates a detailed report which indicates areas that can be improved.  
 

·         Microsoft Security Essentials:  A free tool provided by Microsoft to aid in protecting against viruses, spyware, and other malicious software.  Easy to install, update, and runs in the background so it's not intrusive to end-users.


·         Ad-Aware Free Antivirus+:  Free Anti-spyware and Ant-Virus software; features download protection, sandboxing, and advanced detection.


·         RootkitRemover:  A free, stand-alone McAfee product which is used to detect and remove complex rootkits and associated malware.  


·         Wireshark:  A free, open-source network protocol analyzer.  Wireshark is a great tool for network troubleshooting and analysis.  It's user-friendly with a graphical frond-end.


·         NMAP:  A free and open-source tool for network discovery and security auditing.  This is a must have tool for Cyber Security.  


·          Leviathan Auditor:  A network auditing and penetration tool which works on (and against) Microsoft machines.  Leviathan can enumerate: users, local groups, shares, hidden shares, transports, installed services, registry and more.


·         THC-Hydra:  A free, open-source network logon cracker.  Easy to use and one of the faster network logon crackers.


·         Cain & Abel:  A password recovery tool for Microsoft operating systems.  Can be used to sniff networks, crack encrypted passwords via dictionary, brute force, and cryptanalysis attacks.  It can also capture VoIP conversations, decode scrambled passwords, capture and crack wireless networking keys.


·         BackTrack Linux:  Hands down my favorite technical security tool.  BackTrack is the one-stop-shop of security tools.  It can be installed to a PC or run from a Live CD distribution.  Installing BackTrack, and utilizing Metasploit, NMAP, and Nessus, and it's one of the greatest tools a security professional could hope for!   

Also, two great sites to peruse for an abundance of tools (many of them free) are:

-and-




References:

Ad-Aware Free Antivirus+.  Retrieved 22 July, 2012, from: http://www.lavasoft.com/products/ad_aware_free.php?t=overview

Backtrack Linux:  Retrieved 22 July, 2012, from: http://www.backtrack-linux.org/

Cain & Able.  Retrieved 22 July, 2012, from: http://www.oxid.it/cain.html

Control Systems Security Program (CSSP): CSET.  Retrieved 22 July, 2012, from: http://www.us-cert.gov/control_systems/satool.html

Leviathan Auditor.  Retrieved 22 July, 2012, from: http://leviathan.sourceforge.net/

Microsoft Security Essentials.  Retrieved 22 July, 2012, from: http://windows.microsoft.com/en-US/windows/products/security-essentials

NMAP.  Retrieved 22 July, 2012, from: http://nmap.org/

RootkitRemover.  Retrieved 22 July, 2012, from: http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

SecTools.org: Top 125 Network Security Tools.  Retrieved 22 July, 2012, from: http://sectools.org/

THC-Hydra.  Retrieved 22 July, 2012, from: http://freeworld.thc.org/thc-hydra/

Wireshark.  Retrieved 22 July, 2012, from: http://www.wireshark.org/

Sunday, July 15, 2012

What's in your wallet?

Nikhil Kolbekar, aka HellsAngel, was arrested in Mumbai, India on the 11th of July.  Eric Bogle, aka Swat Runs Train, was taken into custody in Canada and Justin Mills, aka xTGxKAKAROT, was taken into custody in Colorado.

Kolbekar and Bogle are suspected of selling complete credit card information, to include: names, addresses, social security numbers, birth dates, and bank account information.

Kolbekar also sold remote desktop protocol (RDP) access data that could be used to break into computers and steal credit card information and identity information from PCs located in Turkey, India, CZech Republic, Brazil, Germany, France, Italy, Spain, Sweden, and other countries.

Kolbekar was brought before Esplanade Court last Thursday and has remained in judicial custody.  He will be brought before the Patiala House court in Delhi on the 25th of this month, and the US is pushing for his extradition through Interpol.

Janice K. Fedarcyk, the assistant director in charge of the New York FBI said that cross-border law-enforcement operation is targeting "highly organized cyber criminals" and their focus is to "root out criminal behavior on the Internet."  Fedarcyk says that the arrests in India, Canada, and the US are all part of Operation Card Shop, and that these arrests serve as an example that cyber criminals will be stopped even if they cross boarders. 

Operation Card Shop is an international operation aimed at catching those involved in the buying and selling of stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools.  27 people have been arrested since 26 June, 2010 as part of this ongoing operation.

It's exciting to see that there's something is being done to crack down on identity and credit card theft, but looking at the numbers, 27 arrests in a little over two years doesn't seem that hefty, but if these individuals are major players in operations the numbers may not be as important as the message that it sends to those who are involved in this type of criminal activity. 


References:

Hacker wanted by FBI arrested (2012):  Retrieved 15 July, 2012, from:  http://www.indianexpress.com/news/hacker-wanted-by-fbi-arrested/973844/

Manhattan U.S. Attorney And FBI Assistant Director-In-Charge Announce Additional Arrests As Part Of International Cyber Crime Takedown.  Retrieved 15 July, 2012, from: http://www.justice.gov/usao/nys/pressreleases/july12/cardshopfollowup.html

THN Security Analyst (2012).  Hacker wanted by FBI held in India for carding crimes.  Retrieved 15 July, 2012, from: http://thehackernews.com/2012/07/hacker-wanted-by-fbi-held-in-india-for.html

Monday, July 9, 2012

Reviewing List of Sources

A few weeks ago I came up with a list of sources that I feel are useful for vulnerability research:
This week I consider the following: Are these the actual sources that I am using in my current class? Are there any additional sources I've discovered? Any that I have decided would not be good to use?
To answer the first question: Are these actual sources that I am using in my current class?

The sites that I feel I am getting the most use out of are: nvd.nist.gov, cve.mitre.org, and exploit-db.com.

Second question: are there any additional sources that I've discovered?  No, with such an extensive list already compiled, haven't had the time or need to seek out additional sources this week.

Third question: Any that I have decided not to use?  In regards to looking for specific vulnerabilities, I would say that I would use the three that I've listed in my first answer, and the rest would simply be used for situational awareness of new vulnerabilities that are being talked about online.

  

Saturday, June 30, 2012

The most important IT security policies & proceedures

           This week my focus has been on IT security policies and procedures and I figured that it wouldn't hurt to have a list of some of the more important ones. 

            A security policy is documentation that spells out and enforces a specific set of rules and regulations.  A policy is the foundation for ensuring a security program can be developed.  A policy can be put in place to hold people accountable for their actions.  It is a living document that allows an organization to define very clear objectives, goals, formal procedures, and rules that aid in defining the overall security posture and design of an organization.

            Before getting into specifics, there are a few characteristics that all policies should have:

·         The policy must be understandable

·         The policy must be realistic

·         The policy must be consistent

·         The policy must be enforceable

·         The policy must be documented, distributed, and communicated correctly

·         The policy must be flexible

·         The policy must be reviewed

            A policy should spell out the following:

·         Roles and responsibilities of those affected by the policy

·         Which actions, processes, and activities are and are not allowed

·         What the consequences are for non-compliance

            The following list is what I feel are the most important policies and procedures:

·         Password security policy - defines rules for passwords: complexity, length, expiration, etc.

·         Physical access policy - guidelines for physical access and control

·         Encryption policy - guidelines for encrypting data

·         Remote access policy - defines what actions are an are not allowed when remotely entering the system.

·         Internal Information access policy - covers who has access to what, a 'need-to-know'

·         Social Media policy - covers what employees shouldn't post on social media sites

·         Data classification policy - guidelines for data classification

·         Acceptable use policy - covers Internet, local network, software installation, e-mail use, etc. for all users

·         Privacy policy - guidelines on private data usage and control

·         Disposal and destruction policy - guidelines on when/how data is disposed of or destroyed, and by who

·         Storage and retention policy - guidelines for storage and retention of data

·         Incident response policy - guidelines for incident response to include roles and responsibilities

·         HR policy - guidelines for HR

·         Change management policy - guidelines for change management

·         Firewall policy - guidelines for firewall

·         Personal electronic device policy - guidelines for mobile electronic devices, USB, and DVDs, what is and is not allowed in the facility








References:

Davidson, E. Media, D. (n.d.).  IT security and the importance of policies and procedures.  Retrieved 30 June, 2012, from: http://smallbusiness.chron.com/security-importance-policies-procedures-1100.html

Global Knowledge (2010).  10 Essential security policies.  Retrieved 30 June, 2012, from: http://www.infosecisland.com/blogview/5033-10-Essential-Security-Polices.html

Shimonski, R. (2003).  Defining a security policy.  Retrieved 30 June, 2012, from: http://www.windowsecurity.com/articles/Defining_a_Security_Policy.html

Thursday, June 21, 2012

Flame On!!!

                        It is being reported today that unnamed Western officials have confirmed that the Flame computer virus was developed by US and Israeli governments.  The Flame virus collected intelligence which aided in slowing Iran's nuclear program.   

            According to officials, the virus covertly monitored and mapped Iran's computer networks, and data was retrieved and steadily sent back to prepare for a cyberwarfare campaign.  Included in the effort to develop and deploy the software was the National Security Agency (NSA), the Central Intelligence Agency (CIA), and Israel's military.  The efforts also included destructive software such as the Stuxnet virus which caused malfunctions in Iran's Nuclear-enrichment facilities.

            According to one former high-ranking U.S. intelligence official: "This is about preparing the battlefield for another type of covert action [...] Cyber-collection against the Iranian program is way further down the road than this."  The official also indicated that Flame and Stuxnet were elements of a larger assault that continues even today.

            Eugene Kaspersky, whose security lab recently discovered the Flame virus that had been used against Iran says that there should be an immediate global effort designed to stop what he calls cyber terrorism.  "It's not cyber war, it's cyber terrorism and I'm afraid it's just the beginning of the game [...] I'm afraid it will be the end of the world as we know it [...] I'm scared, believe me."

            Roel Schuwenberg, a senior researcher at Kaspersky Lab said: "We are now 100 percent sure that the Flame and Stuxnet groups worked together [...] The fact that the Flame group shared their source code with the Stuxnet group shows they cooperated at least once."

            Cyber security experts say that Flame is one of the most sophisticated malware codes that has ever been discovered, and believe that it was released to specifically infect computer systems in Iran and in rival regimes across the Middle East.

            It seems as though news of cyber warfare, cyber attacks, cyber terrorism is on the rise.  These are interesting times to be part of information security.  I don't foresee a slowdown in the development of more advanced cyber attack methods, programs, or code, if I had to guess, the cyber battle space will continue to grow and will be the new frontier for a new kind of war.  It's going to be an interesting few years to be sure!   


References:

Heyes, J.D. (2012).  Flame malware, creted by US government, could wreck critical infrastructure.  Retrieved 21 June, 2012, from: http://www.infowars.com/flame-malware-created-by-us-government-could-wreck-critical-infrastructure/

Rey, F.  (2012).  US and Israel developed flame maware to cripple Iranian nuclear power program.  Retrieved 21 June, 2012, from: http://socialbarrel.com/flame-malware-nuclear-power-program/39261/

THN Security Analyst (2012).  US and Israel developed flame malware against Iran.  Retrieved 21 June, 2012, from: http://thehackernews.com/2012/06/us-and-israel-developed-flame-malware.html

Thursday, June 14, 2012

Sources for IT Security News, Threats, Vulnerabilities and Updates



This post will identify credible sources of information for IT threats, vulnerabilities, updates, and security news in general. Included is list of sources I consider to be credible, and why.



·         http://nvd.nist.gov/ -  My #1 site for information on security vulnerabilities is the National Vulnerability Database (the NVD is sponsored by Department of Homeland Security - National Cyber Security Division/US-CERT and NIST).  The NVD the U.S. government repository of standards based vulnerability management data, using Security Content Automation Protocol (SCAP).  It covers vulnerability management, security measurement, and compliance.  Included are: security checklists, security related software flaws, misconfigurations, and impact metrics.



·         http://cve.mitre.org/ - The Common Vulnerabilities and Exposures (CVE) is international in scope and is free for public use.  The CVE is a large dictionary of publicly known information security vulnerabilities and exposures.  The CVE can be used for vulnerability management, patch management, vulnerability alerting, intrusion detection, and much more.    



·         http://www.symantec.com/security_response/ - who does security better than a company that earns it's bread and butter by providing security solutions?  The list of threats, vulnerabilities, risks, and security news delivered by Symantec is arguably near the top of the list; the list is constantly updated and is vast, covering: spyware, adware, hack tools, joke programs, remote access, hoaxes, trackware, the list goes on and on.



·         http://www.iss.net/threats/ThreatList.php - A great list of current and relevant Internet threats and vulnerabilities.  Though the list is geared towards showing how IBM ISS products & services can help protect against the listed threats, it gives plenty of details on what the threats and vulnerabilities are, what they do, and steps that can be taken to mitigate the risk.



·          http://www.itsecdb.com/oval/ - The IT Security Database (ITSECDB) collects Open Vulnerability and Assessment Language (OVAL) definitions from sources such as: Mitre, Red Hat, Suse, NVD, Apache, etc. and provides a one-stop shop with easy to navigate web interface to research a wide array of IT security related items such as patching, vulnerabilities, and compliance checklists.



·         http://www.exploit-db.com/ - The Exploit Database (EDB) is another great site to check out, at the time of typing this, they have a total of 16,108 exploits archived.  This site is geared towards penetration testers, vulnerability researchers, and security addicts.  The site also has blogs, papers, and a community who is apt to share information.  The site is run by the folks at: http://www.offensive-security.com



·         Other good resources for security news (a.k.a. the usual suspects):

o   http://news.cnet.com/security/

o   http://thehackernews.com/

o   http://www.securityfocus.com/

o   http://www.blackhat.com/

o   http://seclists.org/isn/

o   http://www.zdnet.com/topics/security

o   http://www.scmagazine.com/

o   http://www.nist.org/news.php

o   http://www.securityweek.com/

o   http://www.eweek.com/c/s/Security/

Sunday, June 10, 2012

The Weakest Link

Last week was a bad week for three major Internet companies; LinkedIn, eHarmony, and Last.fm were all targeted and successfully breached by hackers.  Early in the week on a Russian hacker forum (InsidePro.com), a site which offers password-cracking tools, two files containing passwords was posted; one of the files contained 6.5 million passwords, and the other 1.5 million passwords.  The password files were posted by a user "dwdm" who asked others to help crack the passwords.  The forum thread has since been taken offline, and the passwords were not displayed in plain text, but rather they were obscured via hashing, though it is reported that more than 200,000 of the passwords have already been cracked.

So far none of the companies are releasing any details about how their users' passwords got into the hands of hackers, but LinkedIn says that the passwords contained in the files are hashed with the SHA-1 algorithm, and no other data accompanies the passwords (i.e. user names or personal data), but security experts are strongly suggesting that people change their passwords immediately, eHarmony has reset the passwords of accounts it believes have been affected.  Apparently many of the passwords that were published to the hacker forum had the term "LinkedIn" in them, i.e. "linkedin1234," or "linkedinabcd," this was a good indicator that these passwords were in fact LinkedIn passwords; it is assumed that many people use weak passwords such as the site name + a string of easy to remember characters.

Just because the password lists were posted without user names does not mean that the original poster doesn't have the user names list that goes along with the passwords.  For this reason, anyone using any of these services should immediately change their password.  This is an excellent reason why a common password should not be used across sites.  If the hackers are able to crack a password and use it against your account, if all your accounts share the same log in information they essentially have a master key to your online life.

Simple passwords containing dictionary words and strings such as 123 or abc will be quite easy to crack, a strong password doesn't necessarily need to be filled with special characters and numbers, a long password with 4 random words such as: Chicago, hockey, cigar, and certification = Chicagohockeycigarcertification would take a brute force tool a very long time to crack, though changing a few characters to numbers or special characters wouldn't hurt if you can remember what characters you changed; for instance, changing all e's to the number 3, or all i's to the number 1.

Best practices would be to limit the amount of personal information you share online, use hard to guess/crack passwords, change your passwords frequently, and don't use the same password for multiple sites.









References:

Mills, E. (2012).  What the password leaks mean to you (FAQ). Retrieved 10 June, 2012, from: http://news.cnet.com/8301-1009_3-57449325-83/what-the-password-leaks-mean-to-you-faq/?tag=epicStories


Paul, I. (2012).  Update: LinkedIn confirms account passwords hacked. Retrieved 10 June, 2012, from: http://www.pcworld.com/article/257045/update_linkedin_confirms_account_passwords_hacked.html


Last.fm Confirms They Were Hacked, Change Your Passwords Nowhttp://thehackernews.com/2012/06/lastfm-confirms-they-were-hacked-change.html