Blue Team Starter Kit - Twitter for intelligence

November 23, 2015

Twitter is a wonderful tool for getting live streaming information from around the world. This isn’t exclusive to information security. Sporting, political, entertainment, and other types of news first break on Twitter. It's also a valuable research tool and forum to discuss security topics. This can work to the advantage of a security team that embraces the social media platform.

I first discovered the value of Twitter when the Heartbleed news broke. Initially, we thought Heartbleed wouldn’t affect us. But after finding a free scan tool via Twitter we discovered that we were dead wrong. Unsure of how this was possible we started investigating. Twitter having served its discovery purpose now shifted into a research tool.

At the time everyone was discussing the vulnerability. There were plenty of links each uniquely analyzing and explaining the vulnerability. XKCD even had a great comic on it. After gaining a basic understanding of the vulnerability we needed to confirm our findings. After some more research, we found a tool for that purpose. Twitter wasn't the only tool we used (Google previously discussed was also used), but it did compliment our efforts for understanding, testing, and ultimately mitigating the vulnerability.

There are several ways a security team can setup Twitter. We ended up creating a brand new account. This allowed us to share the Twitter feed among ourselves and various devices. We then followed as many security professionals and companies as we could find. Hashtags like #infosec are a good place to start when searching for accounts to follow. Other hashtags that can be scouted for infosec accounts to follow include:

#appsec (application security)
#dtsr (podcast discussion hash tag)
#pentesting (red teaming)
#dfir (digital forensics, incident response)
and many more.

Twitter also provides the list feature for carving out accounts that focus on an individual discipline. Simply, create a new list and start adding people to it. The great thing about lists is that you don't have to be following the account to add it to a list. This is useful for organization and to keep work from invading your personal Twitter feed constantly (if you have one). Lists are able to be subscribed to, if there's a desire not to start a new account.

Tweetdeck and Hootsuite are two options for managing multiple Twitter feeds. They allow for multiple feeds to be displayed in the browser. I typically have my person feed, personal interactions, the security team feed, and then either a hashtag or list.

If you haven’t incorporated Twitter into your day-to-day monitoring, do it. It’s a powerful tool that leverages live information on news, discussions, and tools. It’s free (which makes it affordable) and it’s simple to use. Keeping a thumb on the pulse of information security is essential for any security team.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Google for research

November 12, 2015

Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.

At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.

As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).

Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:

Using “infosec tools” I get a different set of results:

The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.

This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”

The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:

2015-11-10 11_59_50-site_timothydeblock.com NSA - Google Search.png

That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.

There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:

We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Trends 2015 presented by IT-ology wrap-up

October 28, 2015

Trends 2015 presented by IT-ology was today and I am exhausted.

Every year in the fall IT-ology selects a technology topic to hold a conference on. This year was security, so naturally ColaSec was involved in providing speakers, volunteers, and marketing for the conference. Four keynote speakers filled the morning track and 12 speakers filled the afternoon tracks, which were split into technologist, civilian, and business. I presented a talk titled, "Low cost tools for security challenges" in the technologist track.

For those coming to my site who were in that talk, here are my slides and here are my videos (from previous conferences) of the talk. I got some good feedback from in regards to the talk, which was very much appreciated.

Trends 2015 was the last time I intended to give this particular talk. The recordings are out, my slides are out there, and I'd like to move onto some fresh content. What that is, I don't know yet, but I have some ideas. Before I move onto some fresh content, I want to compliment the video and slides of my talk with some blog posts that go a little more in-depth with the tools I presented. Over the next several weeks I intend to have a post a week, with step-by-step instructions on how to use each of the tools in my talk.

Thank you to everyone that made it to my talk and any feedback is still welcome.

This post first appeared on Exploring Information Security.

Investing in the people who work on a security team

October 22, 2015

I was recently featured in an article title The support security leaders need for better cloud security on CSO Online by fellow palmettoian(?) Michael Santarcangelo. I'm working with Michael on improving my writing while exploring various topics within information security. I did not realize moving to the cloud had become such a hot trend for businesses. It makes sense, though, and is probably something that will become more excepted. After thinking about it I realized I've had some exposure to moving certain IT functions to the cloud already. It makes sense for the right technology, and the technology is only getting better, so it will make sense for more and more initiatives.

As I was researching the topic one challenge began to stick out to me. Is everyone on board, specifically those in security, with moving business and IT functions to the cloud? Talking to several IT people I work with and know, I came away with a feeling of hesitation. Hesitation or not, the business is making the call to move to the cloud and doing it at an ever increasing pace. Which is why it is important for all members of a security team to have an understanding and be comfortable with technology moving to the cloud. It is happening whether we like it or not. We could say, "no" but that just means we are being the brick wall that the business will hammer through or more simply walk around or climb over. I have come around to the idea that security needs to be an enabler of the business, but security leaders needs to become an enabler of the people on the security team.

I'm seeing a lot of managers and leaders wanting to do good things, but not finding the time to invest in their people. They are slammed with meetings and projects and spending time with the members of the security team just doesn't fit into the schedule. They were hired to do a job and that's what they'll do, plus they are slammed with a long to do list too. Here's the thing, the people on the security team have wonderful ideas, they have creative ways to solve problems, but more importantly they want to help find solutions to problems the manager is facing. If there's a disconnect all that creativity and input goes to waste.

We often hear about the talent shortage within security. The easy solution is to higher more people and get better funding. The even easier solution is to invest in the people already on the security team. Are security leaders getting the best out of their people? The only way to find out is to invest in the team, not just in training but in mentorship. Sitting down with them to understand their frustrations, provide mentorship, give feedback, and more importantly enable them to be the best they can be. Santarcangelo followed up the article above with one titled The security talent shortage and your leadership opportunity. It's a slideshow format article, which makes it a quick read and it asks some questions on what leaders are doing to address the talent shortage.

Wrapping up (because this is already longer than intended), I'm seeing security teams struggle with finding and then keeping people. As it happens, I was listening to a podcast from NPR's Ted Radio Hour titled The Meaning of Work. The episode explores how we make work more meaningful. Compensation is not something that makes work more meaningful. The environment, the culture, and the challenges are what make work more meaningful. Investing in the security team will help build a better environment and culture. Enabling the security team will help create more challenging opportunities that lead to more meaningful work. More meaningful work makes for a happier security team and a happier security team accomplishes so much more than an unhappy security team.

This post first appeared on Exploring Information Security.

More resources for IT certifications

October 20, 2015

The latest Exploring Information Security podcast episode, "What certifications are available for infosec professionals?" released yesterday and I've already started getting some great feedback from the episode.

@TimothyDeBlock Also ran across this: http://t.co/eiegAtvxls
— Tyler Neeriemer (@tyneeriemer) October 19, 2015

Tyler Neeriemer on Twitter shared with me a couple links that had certificate roadmaps in them. I really liked this one from CompTIA. The roadmap includes non-CompTIA certs and is laid out intuitively. There's also this article from 2012 by SecureState.

Feedback for the podcast and any helpful links that contribute to an episode are always welcome.

This post first appeared on Exploring Information Security.

DerbyCon talk and impressions

September 28, 2015

DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.

The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.

Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).

Below is the recording of my DerbyCon talk and a link to my slides.

DerbyCon talk slides

I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.

I am very much looking forward to DerbyCon 2016

This post first appeared on Exploring Information Security.

BSides Augusta gallery and pictures

September 21, 2015

Media

The gallery for BSides Augusta can be found in my Photography section.

BSides Augusta 2015

BSides Augusta, Georgia, September 12, 2015.

My Blue Team Starter Kit talk is available on YouTube.

Impressions

This was my second year attending BSides Augusta. As I've mentioned several times, this is one of the best run security conferences out there. You can tell pretty quickly that the organizers put a lot of effort and time into ensuring everything runs smoothly. This year was no different. I heard Mark Baggett tell one persont hat there were some minor hiccups in the morning. I didn't notice them. The only thing I could tell was that they overlooked the registration line. They had lines divided up into last name, but it was apparent entering the building.

Aside from that, everything else ran smooth for the conference. Speaking of attendance, the number reached 500 this year. That's up from 300 last year, which makes Augusta one of the bigger BSides events. The event is expected to grow even more as the Army continues to grow its cyber command at Fort Gordon.

I didn't get to sit in a lot of talks, but there seemed to be a pretty strong malware theme this year. Joel Esler's "2015 - It's Not Over Yet" and Wes Widner's "Lessons Learned from Analyzing Terabytes of Malware" are two such talks that stood out to me as I hoped from track to track taking pictures. But Paul Melson's "Viper Framework for Malware Analysis" and Alex Rymdeko-Harvey's "Malvertizing Like a Pro" are two more talks that deal with malware. I plan to go back through several of the session's at BSides Augusta after the baseball season is over.

If you live in the South East, I highly recommend BSides Augusta. Especially for security professionals working on a blue team. It's rare for a security conference to have two blue team tracks and I don't see that changing in the future. Put the event on your calendar for next year. I promise you won't be disappointed.

This post first appeared on Exploring Information Security.

Data Driven Security - all about the analytics

August 31, 2015

I've been remiss in my blogging duties. I've had some changes in my life recently, but I'd like to get back to posting on a regular basis and there's not real a good reason why I should be able to do that. Allow me to rectify my absentmindedness by talking about the book Data-Driven Security by Jay Jacobs and Bob Rudis.

This was a wonderful book to read as an information security professional. As information security matures (and the world in general) metrics and analytics are going to become a bigger part of the field. We see sabermetrics taking over baseball and other sports for the simple fact that it helps organizations gain a deeper understanding of what the have, which leads to making better decisions. Those same strategies can help many professional fields, including information security.

Each chapter of the book covers a different scenario in which data is analyzed to answer an infosec related question. It also discusses the art of visualization and how to make communicating numbers more useful to people (*cough*executives*cough*). The book exposes the reader to the wonderful world of Python and R studio, both of which are used to analyze and make sense of the data, without requiring too much previous knowledge. Each chapter walks the reader through exercises utilizing pre-built Python scrips in R Studio, just enough to wet the petite.

What I really enjoyed about the book was that it was easy to read. It wasn't bogged down with numbers or big words. Of course, I'm not exactly a newb to reading about statistical analysis. Still, I think people with some interest in data-driven security will find the book a fairly easy read. It's a great starting point for those wanting to explore a discipline in security that is likely to become more and more relevant as security and data matures.

This post first appeared on Exploring Information Security.

Exploring Information Security podcast launches

August 9, 2015

A year ago I started a small podcast project called, Exploring Information Security. The idea of the podcast is to explore different topics, ideas, and disciplines within information security. I started the podcast at a horrible time and was thus unable to keep the project going. I've since found myself with more time to pick this neat little podcast idea back up.

iTunes feed: https://itunes.apple.com/us/podcast/eis-podcast-timothy-de-block/id1026428940

Some iTunes ratings would be fantastic and any topic suggestions. I've got a running list of topics I want to cover and guests to interview for those topics, but I'll always take more suggestions. For now, new episodes will release every Monday, starting tomorrow August 10, 2015. I have four podcasts scheduled for the rest of August, with four more ready to be edited.

This post first appeared on Exploring Information Security.

Back from vacation: Trends 2015, DerbyCon, and podcast

August 4, 2015

Trends 2015

October 28, 2015, IT-ology will be hosting Trends 2015, which will focus on:

"...the overall digital transformation taking place in society and the associated security issues that come along with it."

The ColaSec group has been asked to help with promoting and finding speakers for the event. The call for presenters is now open. Here are the details:

IT-oLogy presents Trends 2015

Cybersecurity 2020: The Impact of Digital Business on Security

CALL FOR PRESENTERS NOW OPEN

Form to submit: https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

What is Trends?

An IT-oLogy (www.it-ology.org) hosted annual conference focusing on technology issues and topics that are “trending” nationally as well as regionally/locally. Basically, it heightens awareness around issues that will impact the future of IT-oLogy partners, the local and regional community, and South Carolina in a big way. The conference is kicked off by a presentation from a Gartner analyst.

2015 Topic:

This year’s topic is the overall digital transformation taking place in society (everything is becoming ‘digital’) and the associated security issues that come along with it.

2015 Date/Location:

Trends will take place Wednesday, October 28 fro 9:00 am to 4:30 pm EST at IT-oLogy, 1301 Gervais Street, Columbia, SC 29201.

Call for Speakers:

The 2015 Call for Speakers is now open. We’re looking for talks in the following areas:

Digital Transformation

A massive “digital transformation” is taking place in society and the pace is only accelerating. Industries, as well as organizations and individuals, are being impacted in ways never imagined. What are examples of this transformation? How is it having an impact? Why is it important?

Security, specific to the following areas:

C level/Executive – security issues impacting executives at all levels (decision makers). Those topics executives should be aware of and know about.
Technologists – issues impacting those at a hands-on technical level. Target audience here will be technologists.
Citizen 101 – issues impacting everyday citizens. Things they should be aware of. Examples might include a very basic overview of how to encrypt email and/or attachments (most don’t have a clue), why changing passwords often is a must-do (and how to keep up with all those passwords), and other like issues.

Do you have a presentation? We’d like to hear from you! Please fill out the form and Todd Lewis (todd.lewis@it-ology.org) will respond!

https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

DerbyCon

While on vacation last week, I was surprised to receive an email from the organizers of DerbyCon informing me that my Blue Team Starter Kit talk was accepted. I was a bit surprised to have my talk accepted, then I was a little terrified to be speaking at one of the biggest and well known security conference in the US. Now I'm really excited to be speaking at the event and I look forward to the experience of not only speaking at DerbyCon but attending the conference as well.

Which leads to my next point. I need to figure out a place to stay. If anyone wants to split a room, get in touch. Also, I'll be driving to Louisville, KY, from Lexington, SC, anyone in between is more than welcome to contact me about a ride. I will be heading to the conference on the 24th of September.

Exploring Information Security

I will be working on getting the podcast feed setup for the Exploring Information Security podcast, so I can submit it to iTunes and begin releasing episodes next week. Feedback and suggestions for future episodes are welcome.

This post first appeared on Exploring Information Security.

The return of the Exploring Information Security podcast

July 20, 2015

A year ago, I started an information security podcast that explores different topics and disciplines within the field. I stopped producing the podcast because I had too many things going on at the time and my final year of school was about to start. I was overwhelmed and that was an easy project to stop doing. A year later and I've found myself with more time and a desire to continue the project I started a year ago.

This week I have two interviews lined up with more expected in the coming weeks. My plan is to launch in early August. I will be putting the first three episodes I did last year up on iTunes and then begin releasing the episodes weekly. All seven episodes I did last year can be found at http://www.timothydeblock.com/eis/. I will continue to release episodes there, as well as on your favorite podcast directory.

This post first appeared on Exploring Information Security.

Prepare the patches

July 8, 2015

Two patches are coming down the patch management pipe starting today. First, Adobe is supposed to release yet another out-of-band patch for its flash player to address a zero day vulnerability discovered in the Hacking Team breach.

And on Monday OpenSSL announced they would be releasing a patch for a "high" severity vulnerability in OpenSSL versions 1.0.2d and 1.0.1p.

Hooray patches!

This post first appeared on Exploring Information Security.

CircleCityCon gallery is up and bonus GIFs

July 7, 2015

All the CircleCityCon pictures are now available on Flickr.

Below are some GIFs I made from the pictures I took.

DJ Rance giving CircleCityCon attendees something to bounce to.

Who's behind the mask?

@TimothyDeBlock @CircleCityCon @revrance hmmmmmmmmmm
— Eddie Mize (@EddieTheYeti) June 30, 2015

Here's the ladies of CircleCityCon having some fun during their "photo shoot."

This post first appeared on Exploring Information Security.

CircleCityCon Links

July 6, 2015

I meant to include this on my last post, but I completely forgot. Here are some links to impressions other people had of the CircleCityCon conference that I found perusing my Twitter feed.

My First "Con": Alice in Security Wonderland by Cheryl Biswas

The Power of Community -- Circle City Con Edition by Chris Maddalena

This post first appeared on Exploring Information Security.

CircleCityCon impressions and pictures

July 2, 2015

In mid-June I traveled to Indianapolis, Indiana, to be the photographer for the security conference called CircleCityCon. Click the Gallery link below to see some of my favorite pictures from that conference.

CircleCityCon 2015

CircleCityCon Indianapolis, Indiana, June 12 - 14, 2015.

One of the things I noticed while processing pictures from the security conference were all the smiles people had. The conference was a blast and it appeared that everyone involved was having a pretty good time.

Chris Roberts AKA Sidragon AKA the dude who flew a play "sideways" kicked off the conference, followed by a Space Rogue opening keynote. From there, the conference featured three security talk tracks, and four to six training tracks. DJ Rance and DJ Cy-Fi and DJ Triptych provided some kickass sound for both Friday and Saturday after parties, which included walls lined with old arcade games. Duane & Brando rocked the stage Friday night and MC Frontalot got the hackers dancing Saturday night. There was also a capture the flag (CTF) competition, lock pick village, and activities for kids. It was a well rounded conference, that I would recommend to any security professional.

My favorite part of the conference came during closing ceremonies when announcing how much money they had made for the five charities they were supporting at the conference. I don't remember the exact amount the conference made, but at one point Micheal Smith AKA DrBearSec said they would contribute $200 more to a particular cause to round the total up to $1000. I absolutely loved that and that gesture reaffirmed that I was contributing to something special.

I had a fantastic time. I got to meet a lot of people I interact with online and I also got to meet some new people I hadn't interacted with online yet, but will be in the future. I hope everyone enjoys the pictures and I look forward to next year's conference.

This post first appeared on Exploring Information Security.

Catching up update: CircleCityCon, BSides Augusta, and a 360 music video

June 24, 2015

I've got all the pictures processed for CircleCityCon and sent to DrBearSec for him to do with what he will. In total I processed about 360 pictures. I have two GIF ideas left to put together and then I'll be done with my venture. Look for a post about CircleCityCon and a gallery of some of my favorite pictures from that event.

In the mean time, here is InfoSystir AKA Amanda social engineering here way onto the stage at Dick's Last Resort in Indianapolis for a bachelorette dance off.

My talk, "The Blue Team Starter Kit" has been accepted by the CFP committee at BSides Augusta and I will be presenting there September 12, 2015. This will be my first time presenting at a security conference and I'm very excited about it.

Finally, this is just a really cool music video from Mike Shinoda's project, Fort Minor. Check out the website for a controllable 360 view.

This post first appeared on Exploring Information Security.

Eddie Mize and his fantastic art at CircleCityCon

Catching up: CircleCityCon, ColaSec, and Astros hack

June 17, 2015

It's been a very busy week and it all started last Thursday when I departed for Indianapolis to be the photographer for CircleCityCon. 1300 driving miles and 25 walking miles later and I was back home with 3473 pictures to go through, a ColaSec meeting to get ready for, and a baseball hack to write about.

I've gotten the pictures down to 400+ shots I like and I hope to have something by next week, if not earlier.

Here is the wrap-up post from our ColaSec meetup on Tuesday.

Finally, here is my writeup on Astros County regarding new information involving the Astros hack from last year. The Cardinals did it!

This post first appeared on Exploring Information Security.

Heading to CircleCityCon

June 10, 2015

Early Thursday morning I will depart South Carolina and head North to Indianapolis, Indiana, for the three day security conference called Circle City Con. The conference is a three day event with training, speakers, and nightly entertainment that begins June 12, 2015, and ends June 14, 2015.
I am signed on as the photographer of the event to document with pictures all the fun things.

I would love to meetup with anyone going that I know, or even don't know. If you see me walking around the con stop me and say, "hi." Also, if anyone lives between South Carolina and Indiana and needs a ride, let me know. We might be able to work something out.

Check out what the lucky @CircleCityCon 2015 attendees will be getting at the event next weekend! pic.twitter.com/CUTnRkwS8G
— SyncStop (@SyncStop) June 4, 2015

This post first appeared on Exploring Information Security.

Verizon Data Breach Investigation Report impressions

June 3, 2015

This is the first year I've read the full Verizon Data Breach Investigation Report. It was quite entertaining, but then again I'm into baseball and within baseball I'm into statistics. The report was easy to read, interesting, and informative and here are my impressions of the 70 page-ish report:

Threat Intelligence

Sharing threat intelligence is useful, but the strategy needs to be more, "going to the well" than "drinking from the hose." Think of the NSA's collection of information, which has been found to largely be ineffective at discovering attacks.

Phishing

Communications, legal, and customer service departments were all more likely to open a phishing email. There is no easy solution or magic wand that can make phishing go away. We need to focus on better filtering, developing and executing an ENGAGING and THOROUGH security awareness program, and improve detection and response capabilities.

Vulnerabilities

It's more effective to focus on getting a patch deployment strategy put in place, than trying patching systems as soon as a new patch is in place. Ten CVEs account for almost 97% of exploits observed in 2014. The ten:

According to this list, there is still a lot of vulnerabilities from the past that need to be patched. Getting a patching process in place is great for all the new stuff, but don't forget about all the old stuff that came out before the security team was in place.

Mobile

".03% of smartphones per week were getting owned by "high-grade" malicious code."

Android is the worst operating system (everyone saw that one coming) and, "most of the malware is adnoyance-ware and similar resource-wasting infections." This might change in the future, but for now it's not a huge area of concern.

Malware

My favorite line came from this section, "Special snowflakes fall on every backyard," which is in relation to "new" malware getting around anti-virus as being described as "advanced" or "targeted." Not the case according to the report. Malware is being given unique hashes to avoid detection by anti-virus.

Industry profiles

Each organization is unique, which is not earth shattering, but good to understand when looking at internal and external entities.

Impact

There is some supply and demand with data breaches: the higher the amount of records lost; the lower the cost of each record. Keep in mind records only tell half the story when it comes to the impact of a breach. There is fallout, not only within the company but outside it.

Incident classification patterns

96% of data breaches fall into nine basic pattersn:

POS Intrusions - 28.5%
Crimeware - 18.8%
Cyber-Espionage - 18%
Insider Misuse - 10.6%
Web App Attacks - 9.4%
Miscellaneous Errors - 8.1%
Physical Theft/Loss - 3.3%
Payment Card Skimmers - 3.1%
Denial of Service - .1%

These are all from the first half of the report. The other half of the report went into discussing each time of data breach and what we can learn. I highly recommend reading the whole report. Not only is it an easy read, but it gives great insight into the current landscape of breaches

This post first appeared on Exploring Information Security.