CSO panel and thoughts on Cardinals-Astros breach

January 10, 2016

Last month I participated on a panel for CSO on, "The pathway to the security talent we crave." The audio and transcript from that panel is up for those who have a free account with CSO.

Former St. Louis Cardinals employee, Chris Correa, was in court for his unauthorized access of the Houston Astros database, Ground Control, on Friday. I read through the five-page indictment and shared my thoughts on Astros County in regards to how the breach occurred.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - PDQ Deploy for patch management

December 22, 2015

Patch management is one of the hardest initiatives to solve for an organization. Setting up a Microsoft Windows Server Update Services can help with Windows updates. Third-party software patching is a bit trickier. Secunia and other options are available for those with the financial resources. For everyone else I recommend PDQ Deploy.

What is PDQ Deploy

PDQ Deploy is an Admin Arsenal offering. It’s free to download and use. The free version is limited, but can give you an idea of what to expect with the program. The enterprise version costs $500 and well worth it.

The program helps to solve patch management, but it can also function as a general software deployment solution. In my previous post, I talked about EMET. PDQ Deploy is the tool I used to easily deploy EMET to my environment. Packages come pre-configured. No parameters or variables need to be set. Just download, select your target computers, and fire. If the need arises, packages are modifiable, however.

Why patch management is important

Patch management helps keep systems from getting exploited. PDQ Deploy provides a simple way of downloading third-party updates and pushing them. Yet another Adobe Flash update? PDQ Deploy it. I have so much confidence in the tool that I would deploy Adobe Flash updates during the day. Maybe not something you want to do with everything (and not something I would recommend doing the first time), but Flash deployed without issue.

PDQ Inventory ($500 enterprise version) another Admin Arsenal offering, will help with automating the process. FULL DISCLOSURE: I did not get an opportunity to try out PDQ Inventory. We ended up integrating PDQ Deploy with a different inventory software (another plus). Below is a video that walks through how to use PDQ Deploy and Inventory to setup automated patching for Adobe Flash. These guys have a great YouTube channel, by the way, that walks through several different features and functions of the PDQ products.

PDQ Deploy by itself is a software pusher. It does not check for version on the current machine. It won’t care if the software is on the machine or even needs the update. The problem with that is that it increases the attack surface on the machine. PDQ Inventory combined with PDQ Deploy will work to determine version or if it’s installed on the machine, in the first place. As mentioned earlier, PDQ Deploy has the potential to work with other inventory software. Which is beneficial if there is something already in place. If not, check out PDQ Inventory. If it's as half as good as PDQ Deploy, it's a win for you.

How to use PDQ Deploy

Open PDQ Deploy (or go to Admin Arsenal's YouTube channel).

The left pane is for navigation. The Package Library is where software packages are downloaded. Packages is where all the downloaded packages can be viewed.

To download a new package, search for the software package by Categories or Vendors. I typically searched Vendors, because I knew what I wanted (Adobe Flash gets updated a lot). For this example we’ll use Adobe to grab the Flash package. Go to Package Library -> Vendors -> Adobe. Highlight Flash and then click the Import Selected button in the top right corner. The package will download and appear under Packages. Highlight the package and then click the Deploy button and Deploy Once in the top right corner. This is also where packages can be edited or scheduled to run if necessary.

Click the Choose Targets button and select how to deploy the package. Packages can be deployed via:

Active Directory
PDQ Inventory
Spiceworks
Target List
Text File

For my test group I usually put all my IP Addresses in a text file and then pushed using the text file option. Use what is best for your specific environment. The selected machines will appear in the target window. The program will run a communications check on all the machines. Once that finishes click the Deploy Now button.

The window will close and the deployment begins. Progress can be viewed in the package view. Click on the deployment to show the progress of the deployment, and that’s pretty much it.

One final note. Credentials will probably need to be setup. To set this up, click on FILE in the top left and then click Preferences. Click Credentials in the left pane and then the Add Credentials button.

Conclusion

Patch management is a big challenge for organizations. Thankfully, PDQ Deploy can meet that challenge and may even exceed it. The program is intuitive, easy-to-use, and fits nicely in a small budget. On it's own PDQ Deploy is a powerful tool that helps get patch management under control. Combined with PDQ Inventory patch management will be a piece of cake.

This post wraps up my Blue Team Starter Kit series. Feedback is welcome. Any correct or clarification requests can be sent to timothy.deblock[at]gmail[dot]com. The introductory post can be found here.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Computer hardening with EMET

December 17, 2015

EMET is awesome.

Microsoft's Enhanced Mitigation Experienced Toolkit (EMET) is also free and adds an extra layer of protection to computers. Released in the fall of 2009, EMET is currently at version 5.2, with a 5.5 beta available for download. Each application and program on a Windows-based computer runs in a predefined way on a Windows-based OS. When malware infects a machine, it tries to take advantage of the predefined interaction. EMET attempts to hide that interaction from malicious software. This article will explore more of this idea, as well as talk about how to deploy it to an organization.

What is EMET?

When Windows XP was nearing end of support, we realized that we weren’t going to meet that date. This lead me to research ways of mitigating this issue. Soon after I discovered the EMET.

This wonderful tool added another layer of protection to our machines. The user guide has a good technical breakdown on all the protection features. The gist of it is that EMET attempts to randomize or hide how applications interact with the Windows OS. When malicious code attempts to run using a predictable process, EMET blocks and alerts on it.

EMET can be installed in the enterprise or even on a home computer. At home, simply download and install.

2015-12-17 22_12_32-Application Configuration.png

It's interface is easy to use. The main window features the ability to enable, disable, or opt-in applications to the defense features. It also shows the processes EMET is protecting. Navigate to the "Application Configuration" window by clicking the Apps button. Here is where individual protections can be enabled or disabled for applications.

These two windows are the main windows for configuring most of EMET's functionality. We'll talk more about configuration as we dive into deploying EMET.

How to deploy EMET

EMET can be deployed any number of ways. If your organization has Microsoft System Center Configuration Manager, congratulations you win! If you don’t deployment will be a bit trickier, but still painless. The article next week will cover PDQ Deploy. Which is a low-cost option for deploying EMET (as well as other software). Before EMET can be deployed some preperation work needs to be done..

I would highly recommend deploying it to a group of test users. To setup a test group, identify one user and computer from each department. The more people added to the group the better. Try to have a good relationship with these people. A relationship is key to getting prompt and informative feedback on any issues. Offer up something like personalized help for issues with EMET.

The reason for the test group is to ensure that the computers in an organization work with EMET. As great as EMET is, it can have issues with certain programs on the computer. I deployed EMET 4.0 to my organization without a hitch. I tried to push 5.0 and derped Microsoft Office and IE on all developer and mainframe machines. That was a fun morning! I resolved the issue on each computer quickly, but it caused some consternation. Do it once or twice and people will eventually forgive you. Do it more than that and it will be much harder to get new security initiatives deployed.

To configure EMET, Open the interface by right clicking on the icon in the bottom right corner of the screen. The main interface shows the protections and the process EMET is running on. Protection profiles can be imported or exported. Clicking the Import button will have some predefined profiles to use including:

CertTrust
Popular Software
Recommended Software

Start with Recommended Software.

Next, click Apps to open the Application Configuration interface. This interface allows for the configuration of each individual protection on specific applications. When an application is blocked by EMET, a small pop-up will appear in the bottom right corner of the screen. The pop-up contains information for what application and what defense fired. This is useful for troubleshooting when a legitimate application is blocked. To resolve the issue, uncheck the protection for the that application. EMET requires a reboot after each change, but the issue may be resolve after unchecking the box.

That's the general idea of configuring EMET. Each organization and department is unique. Finding the right configuration can take time.

After finding the best configuration for your organization, you'll want to have central control of the configuration. This is possible with Group Policy. Group Policy allows for control of the options on the main interface. To gain control of the Application Configuration window a logon script will need to be setup.

There are a few different ways to get the options for EMET to show up in Group Policy. There will be links at the bottom of this post leading to those options. One of the great things about EMET is that a lot of information security professionals have written about it. The method I used was to drop an .adml and .admx file onto one of the Domain Controllers.

Check the more resources section for different methods on getting control of EMET.

Conclusion

I'll reiterate the opening statement: EMET is awesome. It's free. Easy to use. There's been a lot of article and guides written on it. Best of all it adds an extra layer of protection to machines. There is some work and planning involved, but it will pay off in the end.

More resources

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Forensics with Redline

December 8, 2015

“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.

What is Redline?

It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).

The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.

The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs). MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.

Alternative Tools

Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.

There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*

*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.

How to use Redline

Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.

Still with me? Let us proceed.

Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.

*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.

When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.

To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.

Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.

After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.

For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).

Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.

That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.

The tool and its alternatives are much deeper and offer valuable information for decision making.

Conclusion

With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.

Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - ZAP for application security

November 30, 2015

I remember hearing about ZAP on my ride into work, listening to Security Weekly. After a little researched I discovered that it was a tool supported by the Open Web Application Security Project. OWASP is an open source non-profit organization focused on providing better application security to organizations. The best part about the tool is that it is free!

What is ZAP?

ZAP stands for Zed Attack Proxy. Named such by Simon Bennetts who told me that he really wanted to name the tool ZAP (OWASP. Bugs. Get it?). Simon is not a security person by trade. He’s a developer and built the tool to help developers write better code. It just so happened that security people found the tool and started using it.

Setting up ZAP as a proxy allows for a tester to run through an application and find vulnerabilities. It uses the methods in OWASP’s Top 10 as part of its scan. I’ll get into the methodology of using the tool later. This automates and streamlines a lot of testing. Beware, the scanner is not perfect (no scanner is). Confirming vulnerabilities found by the tool is a very important part of the process. One false positive with developers and we lose credibility.

After testing is complete ZAP has an export report feature. The report can be exported in either an HTML or an XML format. The HTML is great for working with developers and researching and confirming each finding. With the XML format, a tool like ThreadFix or Dradis can be used to help track vulnerabilities.

The tool also has advanced features for further digging into the application. This is great as a tester gets more comfortable and better with the tool he has an opportunity to dig deeper into an application.

The alternative

The alternative to ZAP is Burp Suite. It does a lot of the same things that ZAP does with some minor differences. Burp has two versions: A community version (free); and a premium version (paid). The premium version costs $300 a year. For those looking to make a career in application security, getting familiar with Burp is a must. Learning both is a plus. Each tool has it's strengths and weaknesses.

How to get started

Download ZAP from the OWASP website and install. Launch the application. The first screen you will see is asking, “Do you want to persist the ZAP Session?” Persisting the session will allow you to close and re-open the ZAP session quickly. You can either:

YES Persist: Save it in the default directory (first option)
YES Persist: Specify the name and location (second option)
Do Not Persist: Or don't bother (third option)

If you intend to save your own sessions then select the third option.

One of the first things available when ZAP opens, is the Quick Start tab. This can be used to perform a very quick, top-level scan. To dig much deeper into an application it will need to be setup as a proxy. To do this go to: Tools -> Options -> Local proxy.

Select your settings (or leave everything default). Then open internet options. Click the Connections tab and click the LAN settings button. Under the Proxy server section check the box for “Use a proxy server for your LAN.” Make sure the Address field says "localhost" (default) and the Port field reads "8080" (default). Click OK and then Apply. ZAP is now intercepting all internet traffic. This includes any browsers or applications using the internet. I recommend running the application assessment from a separate machine or virtual machine. As a proxy it will collect all internet traffic your computer performs. Including browser traffic and any updaters installed.

Now that we’re setup, time to test.

Methodology

Run through the entire application. When I say the entire application, I mean the ENTIRE APPLICATION. Click on every link and button. Fill out every field and submit forms. This is best done in a test environment which developers should have. Coordinate with them for any functions that need handling on their end. Once the application has been explored, it’s time to use ZAP to map the rest of the application.

Before we do that though, it is a good idea to exclude any sites you don’t want to run ZAP on. Right-click any sites you want to exclude. Select Exclude From Proxy and click OK. There is some flexibility here, but for the most part I just exclude the sites from the proxy all together.

To map the application ZAP uses a Spider. Right-click the site, highlight Attack, and select Spider. The spider will run through the application and map it. The more the application was explored by the tester, the more it will find. ZAP also features an Ajax Spider attack for ajax content. This will open a browser, run through the website, and map the ajax content in the application.

After running the spider function, run the forced browse attack. This function will use a text file with common directory names to look for hidden directories. This attack can usually take several hours to run, depending on the size of the list. ZAP supports user created lists.

Active scan is run next. This is where discovery of vulnerabilities of the application occurs. The function will run through techniques in the OWASP Top 10. Clicking on the heartbeat monitor icon will allow you to watch the progress of the scan.

I want to mention one other type of attack that may or may not be used. The Fuzz attack or fuzzer. This is typically used for things like user enumeration (username discover). The attack allows for requests sent to be modified using a text file. This allows for the automation of sending many modified requests to the application. Viewing the responses we can build a list of usernames in automated and quick fashion.

Once the Active Scan completes we have a (hopefully not long) list of vulnerabilities. Export and view a report of the findings by clicking Report -> Generate HTML report. The report includes:

The type of attack
A short description
The vulnerable link
The attack
The solution
References.

Once the vulnerabilities are confirmed or rejected, it’s report writing time.

Conclusion

OWASP ZAP is a great tool for those just starting out in application security. Or those needing to stand up a security assessment program. The instructions above are meant to just get someone started with using ZAP. Both ZAP and Burp Suite provide a lot of granular control of and customization of it's features and functions. But both are very simple to use. Both are well documented (check the more resources section below).

If $300 is within the budget, Burp Suite is the tool of choice by application security professionals. I've tinkered with Burp Suite, but for the most part I've used ZAP. Free is hard to beat, but it also came in handy working with developers. As I was implementing the security assessment program in my organization, I quickly discovered that the developers were interested in the tool. That probably had more to do with managements support of the program. Still, when the developers started asking questions on how I tested, I simply installed the tool on their system. From there I showed them my techniques for performing assessments. Now, I'm easily showing the developers how to run their checks of the application before it even reaches me.

I probably could do the same with Burp Suite, but I have a few more hoops to jump through with the $300 price tag. The community version does a lot of the same things the premium does. It's just throttled. Again, if you're sure application security is where you want to be $300 is not an insurmountable amount of money. If you're still feeling out the field ZAP works is the best bang for your buck.

More resources

OWASP Zed Attack Proxy Tutorial - YouTube
Lanmaster53 - Tim Tomes (he provides training too)
The Web Application Hacker's Handbook 2nd Edition by Dafydd Stuttard
SANS web App Penetration Testing and Ethical Hacking Course

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Twitter for intelligence

November 23, 2015

Twitter is a wonderful tool for getting live streaming information from around the world. This isn’t exclusive to information security. Sporting, political, entertainment, and other types of news first break on Twitter. It's also a valuable research tool and forum to discuss security topics. This can work to the advantage of a security team that embraces the social media platform.

I first discovered the value of Twitter when the Heartbleed news broke. Initially, we thought Heartbleed wouldn’t affect us. But after finding a free scan tool via Twitter we discovered that we were dead wrong. Unsure of how this was possible we started investigating. Twitter having served its discovery purpose now shifted into a research tool.

At the time everyone was discussing the vulnerability. There were plenty of links each uniquely analyzing and explaining the vulnerability. XKCD even had a great comic on it. After gaining a basic understanding of the vulnerability we needed to confirm our findings. After some more research, we found a tool for that purpose. Twitter wasn't the only tool we used (Google previously discussed was also used), but it did compliment our efforts for understanding, testing, and ultimately mitigating the vulnerability.

There are several ways a security team can setup Twitter. We ended up creating a brand new account. This allowed us to share the Twitter feed among ourselves and various devices. We then followed as many security professionals and companies as we could find. Hashtags like #infosec are a good place to start when searching for accounts to follow. Other hashtags that can be scouted for infosec accounts to follow include:

#appsec (application security)
#dtsr (podcast discussion hash tag)
#pentesting (red teaming)
#dfir (digital forensics, incident response)
and many more.

Twitter also provides the list feature for carving out accounts that focus on an individual discipline. Simply, create a new list and start adding people to it. The great thing about lists is that you don't have to be following the account to add it to a list. This is useful for organization and to keep work from invading your personal Twitter feed constantly (if you have one). Lists are able to be subscribed to, if there's a desire not to start a new account.

Tweetdeck and Hootsuite are two options for managing multiple Twitter feeds. They allow for multiple feeds to be displayed in the browser. I typically have my person feed, personal interactions, the security team feed, and then either a hashtag or list.

If you haven’t incorporated Twitter into your day-to-day monitoring, do it. It’s a powerful tool that leverages live information on news, discussions, and tools. It’s free (which makes it affordable) and it’s simple to use. Keeping a thumb on the pulse of information security is essential for any security team.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Google for research

November 12, 2015

Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.

At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.

As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).

Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:

Using “infosec tools” I get a different set of results:

The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.

This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”

The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:

2015-11-10 11_59_50-site_timothydeblock.com NSA - Google Search.png

That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.

There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:

We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Trends 2015 presented by IT-ology wrap-up

October 28, 2015

Trends 2015 presented by IT-ology was today and I am exhausted.

Every year in the fall IT-ology selects a technology topic to hold a conference on. This year was security, so naturally ColaSec was involved in providing speakers, volunteers, and marketing for the conference. Four keynote speakers filled the morning track and 12 speakers filled the afternoon tracks, which were split into technologist, civilian, and business. I presented a talk titled, "Low cost tools for security challenges" in the technologist track.

For those coming to my site who were in that talk, here are my slides and here are my videos (from previous conferences) of the talk. I got some good feedback from in regards to the talk, which was very much appreciated.

Trends 2015 was the last time I intended to give this particular talk. The recordings are out, my slides are out there, and I'd like to move onto some fresh content. What that is, I don't know yet, but I have some ideas. Before I move onto some fresh content, I want to compliment the video and slides of my talk with some blog posts that go a little more in-depth with the tools I presented. Over the next several weeks I intend to have a post a week, with step-by-step instructions on how to use each of the tools in my talk.

Thank you to everyone that made it to my talk and any feedback is still welcome.

This post first appeared on Exploring Information Security.

Investing in the people who work on a security team

October 22, 2015

I was recently featured in an article title The support security leaders need for better cloud security on CSO Online by fellow palmettoian(?) Michael Santarcangelo. I'm working with Michael on improving my writing while exploring various topics within information security. I did not realize moving to the cloud had become such a hot trend for businesses. It makes sense, though, and is probably something that will become more excepted. After thinking about it I realized I've had some exposure to moving certain IT functions to the cloud already. It makes sense for the right technology, and the technology is only getting better, so it will make sense for more and more initiatives.

As I was researching the topic one challenge began to stick out to me. Is everyone on board, specifically those in security, with moving business and IT functions to the cloud? Talking to several IT people I work with and know, I came away with a feeling of hesitation. Hesitation or not, the business is making the call to move to the cloud and doing it at an ever increasing pace. Which is why it is important for all members of a security team to have an understanding and be comfortable with technology moving to the cloud. It is happening whether we like it or not. We could say, "no" but that just means we are being the brick wall that the business will hammer through or more simply walk around or climb over. I have come around to the idea that security needs to be an enabler of the business, but security leaders needs to become an enabler of the people on the security team.

I'm seeing a lot of managers and leaders wanting to do good things, but not finding the time to invest in their people. They are slammed with meetings and projects and spending time with the members of the security team just doesn't fit into the schedule. They were hired to do a job and that's what they'll do, plus they are slammed with a long to do list too. Here's the thing, the people on the security team have wonderful ideas, they have creative ways to solve problems, but more importantly they want to help find solutions to problems the manager is facing. If there's a disconnect all that creativity and input goes to waste.

We often hear about the talent shortage within security. The easy solution is to higher more people and get better funding. The even easier solution is to invest in the people already on the security team. Are security leaders getting the best out of their people? The only way to find out is to invest in the team, not just in training but in mentorship. Sitting down with them to understand their frustrations, provide mentorship, give feedback, and more importantly enable them to be the best they can be. Santarcangelo followed up the article above with one titled The security talent shortage and your leadership opportunity. It's a slideshow format article, which makes it a quick read and it asks some questions on what leaders are doing to address the talent shortage.

Wrapping up (because this is already longer than intended), I'm seeing security teams struggle with finding and then keeping people. As it happens, I was listening to a podcast from NPR's Ted Radio Hour titled The Meaning of Work. The episode explores how we make work more meaningful. Compensation is not something that makes work more meaningful. The environment, the culture, and the challenges are what make work more meaningful. Investing in the security team will help build a better environment and culture. Enabling the security team will help create more challenging opportunities that lead to more meaningful work. More meaningful work makes for a happier security team and a happier security team accomplishes so much more than an unhappy security team.

This post first appeared on Exploring Information Security.

More resources for IT certifications

October 20, 2015

The latest Exploring Information Security podcast episode, "What certifications are available for infosec professionals?" released yesterday and I've already started getting some great feedback from the episode.

@TimothyDeBlock Also ran across this: http://t.co/eiegAtvxls
— Tyler Neeriemer (@tyneeriemer) October 19, 2015

Tyler Neeriemer on Twitter shared with me a couple links that had certificate roadmaps in them. I really liked this one from CompTIA. The roadmap includes non-CompTIA certs and is laid out intuitively. There's also this article from 2012 by SecureState.

Feedback for the podcast and any helpful links that contribute to an episode are always welcome.

This post first appeared on Exploring Information Security.

DerbyCon talk and impressions

September 28, 2015

DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.

The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.

Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).

Below is the recording of my DerbyCon talk and a link to my slides.

DerbyCon talk slides

I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.

I am very much looking forward to DerbyCon 2016

This post first appeared on Exploring Information Security.

BSides Augusta gallery and pictures

September 21, 2015

Media

The gallery for BSides Augusta can be found in my Photography section.

BSides Augusta 2015

BSides Augusta, Georgia, September 12, 2015.

My Blue Team Starter Kit talk is available on YouTube.

Impressions

This was my second year attending BSides Augusta. As I've mentioned several times, this is one of the best run security conferences out there. You can tell pretty quickly that the organizers put a lot of effort and time into ensuring everything runs smoothly. This year was no different. I heard Mark Baggett tell one persont hat there were some minor hiccups in the morning. I didn't notice them. The only thing I could tell was that they overlooked the registration line. They had lines divided up into last name, but it was apparent entering the building.

Aside from that, everything else ran smooth for the conference. Speaking of attendance, the number reached 500 this year. That's up from 300 last year, which makes Augusta one of the bigger BSides events. The event is expected to grow even more as the Army continues to grow its cyber command at Fort Gordon.

I didn't get to sit in a lot of talks, but there seemed to be a pretty strong malware theme this year. Joel Esler's "2015 - It's Not Over Yet" and Wes Widner's "Lessons Learned from Analyzing Terabytes of Malware" are two such talks that stood out to me as I hoped from track to track taking pictures. But Paul Melson's "Viper Framework for Malware Analysis" and Alex Rymdeko-Harvey's "Malvertizing Like a Pro" are two more talks that deal with malware. I plan to go back through several of the session's at BSides Augusta after the baseball season is over.

If you live in the South East, I highly recommend BSides Augusta. Especially for security professionals working on a blue team. It's rare for a security conference to have two blue team tracks and I don't see that changing in the future. Put the event on your calendar for next year. I promise you won't be disappointed.

This post first appeared on Exploring Information Security.

Data Driven Security - all about the analytics

August 31, 2015

I've been remiss in my blogging duties. I've had some changes in my life recently, but I'd like to get back to posting on a regular basis and there's not real a good reason why I should be able to do that. Allow me to rectify my absentmindedness by talking about the book Data-Driven Security by Jay Jacobs and Bob Rudis.

This was a wonderful book to read as an information security professional. As information security matures (and the world in general) metrics and analytics are going to become a bigger part of the field. We see sabermetrics taking over baseball and other sports for the simple fact that it helps organizations gain a deeper understanding of what the have, which leads to making better decisions. Those same strategies can help many professional fields, including information security.

Each chapter of the book covers a different scenario in which data is analyzed to answer an infosec related question. It also discusses the art of visualization and how to make communicating numbers more useful to people (*cough*executives*cough*). The book exposes the reader to the wonderful world of Python and R studio, both of which are used to analyze and make sense of the data, without requiring too much previous knowledge. Each chapter walks the reader through exercises utilizing pre-built Python scrips in R Studio, just enough to wet the petite.

What I really enjoyed about the book was that it was easy to read. It wasn't bogged down with numbers or big words. Of course, I'm not exactly a newb to reading about statistical analysis. Still, I think people with some interest in data-driven security will find the book a fairly easy read. It's a great starting point for those wanting to explore a discipline in security that is likely to become more and more relevant as security and data matures.

This post first appeared on Exploring Information Security.

Exploring Information Security podcast launches

August 9, 2015

A year ago I started a small podcast project called, Exploring Information Security. The idea of the podcast is to explore different topics, ideas, and disciplines within information security. I started the podcast at a horrible time and was thus unable to keep the project going. I've since found myself with more time to pick this neat little podcast idea back up.

iTunes feed: https://itunes.apple.com/us/podcast/eis-podcast-timothy-de-block/id1026428940

Some iTunes ratings would be fantastic and any topic suggestions. I've got a running list of topics I want to cover and guests to interview for those topics, but I'll always take more suggestions. For now, new episodes will release every Monday, starting tomorrow August 10, 2015. I have four podcasts scheduled for the rest of August, with four more ready to be edited.

This post first appeared on Exploring Information Security.

Back from vacation: Trends 2015, DerbyCon, and podcast

August 4, 2015

Trends 2015

October 28, 2015, IT-ology will be hosting Trends 2015, which will focus on:

"...the overall digital transformation taking place in society and the associated security issues that come along with it."

The ColaSec group has been asked to help with promoting and finding speakers for the event. The call for presenters is now open. Here are the details:

IT-oLogy presents Trends 2015

Cybersecurity 2020: The Impact of Digital Business on Security

CALL FOR PRESENTERS NOW OPEN

Form to submit: https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

What is Trends?

An IT-oLogy (www.it-ology.org) hosted annual conference focusing on technology issues and topics that are “trending” nationally as well as regionally/locally. Basically, it heightens awareness around issues that will impact the future of IT-oLogy partners, the local and regional community, and South Carolina in a big way. The conference is kicked off by a presentation from a Gartner analyst.

2015 Topic:

This year’s topic is the overall digital transformation taking place in society (everything is becoming ‘digital’) and the associated security issues that come along with it.

2015 Date/Location:

Trends will take place Wednesday, October 28 fro 9:00 am to 4:30 pm EST at IT-oLogy, 1301 Gervais Street, Columbia, SC 29201.

Call for Speakers:

The 2015 Call for Speakers is now open. We’re looking for talks in the following areas:

Digital Transformation

A massive “digital transformation” is taking place in society and the pace is only accelerating. Industries, as well as organizations and individuals, are being impacted in ways never imagined. What are examples of this transformation? How is it having an impact? Why is it important?

Security, specific to the following areas:

C level/Executive – security issues impacting executives at all levels (decision makers). Those topics executives should be aware of and know about.
Technologists – issues impacting those at a hands-on technical level. Target audience here will be technologists.
Citizen 101 – issues impacting everyday citizens. Things they should be aware of. Examples might include a very basic overview of how to encrypt email and/or attachments (most don’t have a clue), why changing passwords often is a must-do (and how to keep up with all those passwords), and other like issues.

Do you have a presentation? We’d like to hear from you! Please fill out the form and Todd Lewis (todd.lewis@it-ology.org) will respond!

https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

DerbyCon

While on vacation last week, I was surprised to receive an email from the organizers of DerbyCon informing me that my Blue Team Starter Kit talk was accepted. I was a bit surprised to have my talk accepted, then I was a little terrified to be speaking at one of the biggest and well known security conference in the US. Now I'm really excited to be speaking at the event and I look forward to the experience of not only speaking at DerbyCon but attending the conference as well.

Which leads to my next point. I need to figure out a place to stay. If anyone wants to split a room, get in touch. Also, I'll be driving to Louisville, KY, from Lexington, SC, anyone in between is more than welcome to contact me about a ride. I will be heading to the conference on the 24th of September.

Exploring Information Security

I will be working on getting the podcast feed setup for the Exploring Information Security podcast, so I can submit it to iTunes and begin releasing episodes next week. Feedback and suggestions for future episodes are welcome.

This post first appeared on Exploring Information Security.

The return of the Exploring Information Security podcast

July 20, 2015

A year ago, I started an information security podcast that explores different topics and disciplines within the field. I stopped producing the podcast because I had too many things going on at the time and my final year of school was about to start. I was overwhelmed and that was an easy project to stop doing. A year later and I've found myself with more time and a desire to continue the project I started a year ago.

This week I have two interviews lined up with more expected in the coming weeks. My plan is to launch in early August. I will be putting the first three episodes I did last year up on iTunes and then begin releasing the episodes weekly. All seven episodes I did last year can be found at http://www.timothydeblock.com/eis/. I will continue to release episodes there, as well as on your favorite podcast directory.

This post first appeared on Exploring Information Security.

Prepare the patches

July 8, 2015

Two patches are coming down the patch management pipe starting today. First, Adobe is supposed to release yet another out-of-band patch for its flash player to address a zero day vulnerability discovered in the Hacking Team breach.

And on Monday OpenSSL announced they would be releasing a patch for a "high" severity vulnerability in OpenSSL versions 1.0.2d and 1.0.1p.

Hooray patches!

This post first appeared on Exploring Information Security.

CircleCityCon gallery is up and bonus GIFs

July 7, 2015

All the CircleCityCon pictures are now available on Flickr.

Below are some GIFs I made from the pictures I took.

DJ Rance giving CircleCityCon attendees something to bounce to.

Who's behind the mask?

@TimothyDeBlock @CircleCityCon @revrance hmmmmmmmmmm
— Eddie Mize (@EddieTheYeti) June 30, 2015

Here's the ladies of CircleCityCon having some fun during their "photo shoot."

This post first appeared on Exploring Information Security.

CircleCityCon Links

July 6, 2015

I meant to include this on my last post, but I completely forgot. Here are some links to impressions other people had of the CircleCityCon conference that I found perusing my Twitter feed.

My First "Con": Alice in Security Wonderland by Cheryl Biswas

The Power of Community -- Circle City Con Edition by Chris Maddalena

This post first appeared on Exploring Information Security.