Getting into information security via military service

May 21, 2016

I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.

Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.

Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.

The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.

Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.

Training

My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.

I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.

Real world experience

During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.

My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.

I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.

Money for continuing education

The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.

The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.

Final thoughts

The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.

Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.

This post first appeared on Exploring Information Security.

Improve WordPress security in three steps

April 4, 2016

WordPress websites allow individuals or organizations to get a website stood up quickly. With easy customization, WordPress is a flexible and powerful platform for websites. Unfortunately, because they're easy to setup security often times gets overlooked. Outdated and unused plugins can lead to compromised website. That compromise is typically in the form of redirects to malicious sites that try to install malware on a visitors machines. Most of the time an owner is unaware of the compromise.

All hope is not lost. There is a way to securely run a WordPress site.

These three practices will help maximize security on a WordPress site:

Run only the programs needed
Run a security plugin like iThemes
Keep all plugins up-to-date.

The theme here is plugins. WordPress itself is a well built platform. The security issues that arise from the core are minimal. What makes WordPress sites vulnerable are plugins. The reason for that is that anyone can create a plugin.

Only run the plugins needed

I get it. We see a plugin we like and install it on the site to try it out. We forget about it or we deactivate it to try another plugin. That plugin sits there and sits there. And sits there. And sits there. If a plugin has been sitting there for a while remove it. A deactivated plugin is vulnerable to exploitation. If it’s deactivated remove it. It's just as easy to reinstall later.

If this is for an organization the same IT principles apply. Deactivate any active plugins that seem unnecessary or unused. Wait for a period of time to ensure there are no adverse affects, then remove it. A plugin installed on the site, even if it is deactivated, is still vulnerable to a malicious actor.

Run a security plugin

There are plenty of good security plugins available for WordPress. A security plugin will add more features and settings to help make a site more secure. Here is a list of seven courtesy of Infosec Institute . I’ve only used iThemes, so I can’t speak to the quality of the others. Try out a few and see which one works the best. Remember the section above.

Keep WordPress and plugins up-to-date

Most vulnerabilities in WordPress-based sites aren’t from WordPress. They are usually from the plugins installed on the site. The core itself is pretty solid. The plugins are usually what make the site vulnerable. Look for plugins that are kept updated. Then update when a new version is available. It’s as simple as that.

The update process is quick and painless. Make sure to have good backups. Some hosting providers will provide this feature. Login to the site weekly to check for an update. A weekly reminder works wonders.

Conclusion

Only run plugins needed on the website. That means removing all unused plugins. Install a plugin for security. There are several available. I’m the most familiar with iThemes, which is why I recommend that plugin. Try out a few and find one that fits the website the best. Keep all plugins up-to-date. Even if the website isn’t logged into on a regular basis. Set a reminder and login once a week to check for updates.

WordPress sites are one of the most vulnerable platforms out there. One of the reasons for that is that a lot of people use it. A lot of people use it, because it is an easy platform to setup and maintain. That goes for security on the platform as well. Follow the three pieces of advice above and help make the internet a safer place.

This post first appeared on Exploring Information Security.

Success doesn't require following your passion

February 15, 2016

“Follow your passion” is a phrase often given as career advice to people getting into a field. I don’t like the this advice. It sets high expectations for someone trying to break into a field and it has the potential to lead to burnout. Note the second definition about in the image above.

There’s nothing wrong with using passion as motivation, but that same emotion has a dark side. Instead of following a passion, bring it to your daily work. Look for value and unique skill sets that will provide a positive impact.

Following your passion isn't helpful advice

I first started to question “follow your passion” early in 2015. It was while listening to an episode of the NPR TED Radio Hour titled success. In that episode there was plenty of talk about following your passion for success. Well, except for Mike Rowe. For those unfamiliar with Rowe, he had a TV show titled Dirty Jobs. Rowe would go with a film crew to various locations to work for a day doing a less than glamorous job.

In his TED talk he described the people doing these dirty jobs day-to-day as happy. No one follows their passion to be septic tank cleaner or a road kill highway picker upper or a bait seller. Yet, that's what these people did and they were successful. 40-50 of the 200 people he followed around were multi-millionaires. He suggests that instead of following a passion, bring passion to the work.

A recent Art of Charm podcast featured Cal Newport and he has another angle. In the episode he debunks the “follow your passion” advice. The people that give the advice usually give it because they can't explicitly explain why they've been successful. He says, instead of following your passion you should let your passion follow you. He talks about finding the unique skill and valuable skills in your daily work that makes you stick out. What creative solutions can make systems and processes run more efficiently. That's what these successful people have found in the work they do or the content they create.

Reflecting on my career

Coming out of high school I was set to go into the Army as a paralegal. Instead I ended up in the Navy as an electronics technician, after my contract fell through. Would I be more or less happy in that role? I don't know. I'd like to think I would be just as happy in a legal career as I am in my IT career. I've seen people passionate about computers and I can safely say I am not one of them. What I've enjoyed is solving problems. Building new programs and systems and optimizing ones already in place.

In my daily work I've looked for ways to make the most impact and make things run better:

I’ve implemented a remote access and software deployment solution for the help desk. They had to manage computers all over the state. Before the solution they had to travel for the simplest problem.

I also took our unused IDS solution and setup a one-man security operations center (SOC). Computers I found talking to countries outside of the US I had a technician investigate for malware.

I’ve cleaned up content filtering rules and rebuilt servers to interfere with operations less. That led to management tasking me with important projects. Implementing security in the software development life cycle (SDLC) process. Hardening our computers and securing our websites. I didn't follow my passion to any of those areas, I brought it with me. What's allowed me to be successful is following through on tasks and improving what's already in place.

Of all the work I've done, I found that I really enjoyed working in application security. If there’s one area I would love to move into it would be application security. Yet, I also enjoy building new programs and making a positive impact. I currently work in a SOC. It’s not the most exciting experience for me, but I’m learning what I can and trying to improve or build out new processes. I’m trying to learn the nuance of a SIEM and the challenges of being a SOC analyst. I’m bringing my passion with me and learning the skills that provide value to the organization.

Conclusion

It’s okay to be in a field and not be passionate. Success isn't found by following your passion. It's by bringing it with you. If you’re among those that are passionate about a particular field, that's awesome. I know a couple people like that and they live and breath the work day and night. I contest that’s a rare thing.

For the rest of us look for enjoyment and fulfillment in everyday work. Try to identify what can make the most impact in your organization and your career. Bring the passion or let it follow you. Success will be sure to follow.

This post first appeared on Exploring Information Security.

The 7 Habits of Highly Effective People

February 10, 2016

I just finished the book The 7 Habits of Highly Effective People by Stephen R. Covey. What a fantastic book. I've heard of the book before but never took the time to actually read through the 380 pages or so. The book really helped me reflect and understand what I'm doing right and what I can approve upon in life.

The book deals in seven habits that fit into three different different areas of our live. Being proactive, beginning with the end in mind, and first things first fit into our independence. Essentially, what we can control in our own life. Then thinking about win-win, seeking to understand, and synergizing all fit into the interdependence of building relationships. Finally, there's sharpening the saw in the continuous improvement section. The final habit has four personal areas of renewal: physical, spiritual, mental, and social/emotional.

As I read through the book here are some of quotes that resonated with me:

Really seeking to understand another person is probably one of the most important deposits you can make, and it is the key to every other deposit. You simply don't know what constitutes a deposit to another person until you understand that individual

I've seen success with this approach in implementing security.

Integrity also means avoiding any communication that is deceptive, full of guile, or beneath the dignity of people. "A lie is any communication with intent to deceive," according to one definition of the world. Whether we communicate with words or behavior, if we have integrity, our intent cannot be to deceive.

I have a pair of sunglasses that I had etched with the word "integrity." It's a word that I've always believed in and try to practice in my daily life.

So I recommend reading literature, such as the inspiring biography of Anwar Sadat, In Search of Identity, and seeing movies like Chariot of Fire or plays like Les Misérables that exposes you to models of Win/Win.

Win/Win is something that I've practiced before but never realized I was actually doing it. Win/Lose, Lose/Win, and Lose/Lose are the other variations that I've practiced and never realized. I intend to continue to study Win/Win scenarios and applying it more in my daily life.

Apparent learner disability was nothing more or less than teacher inflexibility.

I've always wanted to teach. I thought it would be High School history or something, but now I realize teaching is something we do daily with the people we interact with. As teachers we need to find more creative and interesting ways to get our message or teachings across. If students aren't picking up on it, that's on us. Not them.

Final thoughts

One of the things I loved about this book is that Covey focused on some of his own failings. In self-help books, authors often focus on successes in implementing self-help advice or strategies. Which of course makes trying to apply those practices frustrating when they fail. Reading about the failures and the lessons learned from helped me to understand that application will take time and that it's a continuous process.

This post first appeared on Exploring Information Security.

NSA TAO Chief Rob Joyce on network defense

February 1, 2016

The above video is from the USENIX Enigma conference, in which Rob Joyce, Chief, Tailored access Operations, of the National Security Agency spoke. He spoke from the attackers perspective and gave some best practice advice and recommendations. Those that have been in the information security perspective for any extended period of time won't be surprised, but it's worth repeating.

I would recommend watching the video. It's only about 35 minutes long. If you don't have the time here are some notes I took on the talk.

BEST PRACTICES

Perform a third-party penetration test
Fix the items in the penetration test report
"You have to be continually defending and improving"
Understand the normal baseline for the traffic on the network
Monitor the network
Least privelege
Network segmentation
Enable and audit logs
Application white-listing (at the very least do high risk assets)
Anti-virus - reputation services
Incident response plan

RECOMMENDATIONS

This post first appeared on Exploring Information Security.

Security and SDLC: Getting started and working with others

January 28, 2016

Getting security into the software development life cycle (SDLC) seems easy. Just write good code and wallah security is in an application. That would be nice, but unfortunately, it doesn’t work like that.

The very first step to implementing security in the SDLC is to have support from leadership. I was lucky enough to have that when I was tasked with this responsibility. Before a new application went live, management asked if security had reviewed the application. Simple. Sweet. It made my job a lot easier. I didn’t have to constantly track down applications or bang the developers over the head. They were coming to me. Which was important in improving the process as the security assessment program matured.

The next step is to get familiar with the tools. OWASP ZAP and Burp Suite are two low-cost tools that can help with performing a security assessment. ZAP is free and Burp Suite costs $350 for the professional version. I’ve covered ZAP in a previous post. Both tools have plenty of resources available to start diving into.

I highly recommend training. I took SANS 542 and it helped tremendously. I learned a lot about the methodology and vulnerabilities associated with application security. If you happen to be in the southeast you may be able to catch a Tim Tomes training course. Troy Hunt’s stuff on Pluralsight is also a really good resource.

Security should be implemented at all stages of the SDLC. Which means a security person should be involved in the early stages, as well as the late stages. The should be at planning meetings making recommendations. They should also be tracking and checking in on progress. Towards the end is where the actual security assessment occurs using tools like ZAP or Burp, but the work doesn’t end there. Confirming findings and generating a report starts the next phase. Finally, Remediation is an important step and requires working closely with the development team.

Working with developers and system administrators

Working with other departments is vital in implementing strong security. For simplicity sake I’m going only going to mention developers. However, don't forget the system administrators. Developers build the applications and the sysadmins are the ones that maintain it. Some findings will require the help of sysadmins configuring the servers that run these applications. Do not overlook them.

There are two big no-nos in working with other departments. Not confirming findings and not providing guidance on findings that need to be resolved.

Confirming findings is very important. Each false positive that a developer finds is credibility the security team loses. Developers have enough on their plate, with applications to build and ambitious deadlines to meet. They don’t need to spends hours on a problem only to find out that the security team made a mistake. Scanners do make mistakes. Make sure each findings are confirmed and can be explained. This goes along with the second part.

Work with the developers to resolve the findings. Vulnerabilities in code will need the security team's help in remediation. Developers are really smart. In my situation, a lot of the time, the developers knew how to fix the issue. But other times, I had to help them research a solution. New vulnerabilities are being discovered daily and it's the security team's responsibility to be on top of them.

One of the benefits of helping developers resolve issues is that it gives us an opportunity to build a better relationship with them.

Building a relationship allows for an easier transition to security. As I mentioned earlier, developers are under a lot of pressure to get things up and out. Security can come in and add more pressure or it can allow them to make better applications. Enabling them to do their best is our goal. A relationship with the developers will make that transition much smoother.

How to build a better relationship

Ask the questions. People love talking about what they do, especially, if they’re passionate about it. Ask questions and show an interest in their work. Coming from a non-development background meant I had a lot to learn. Which gave me plenty of opportunities to ask questions. By making an effort to understand their work, I gained credibility as a problem solver. I showed that I wanted to understand their work.

Help solve the problems. ZAP reports have a reference and solutions section. Go through those. Get on Google. Review YouTube videos. Read blog posts. Do whatever is needed to understand the fixes for code. Then dive into the code with the developers to understand the fix. Provide the developers with as many resources as possible to get the job done and then learn from them.

Teach them the tools. This goes back to implementing security at all stages of the SDLC. The earlier issues are caught, the less it will cost to resolve. This is where leadership support comes into play. With leadership ensuring that the SDLC ran through the security team it helped create the story below.

Storytime

After running several security assessments for new applications, the developers wanted to know more about the tool I was using. If they’re going to have to run an application by me, they want to understand the tool I'm using. Each time I found something meant time we had to go back and remediate and then re-scan. So, I started showing them how to run ZAP. I did one-on-ones with developers and held training sessions on the use of the tool. Something amazing happened as a result of that.

One day, we started receiving reports that a scam email was being sent to customers via our service. The thought was that as people signed up for a new account, they would receive a scam email. Not something we wanted to take lightly. While I investigated the message of the scam, I asked one of the developers to go create an account. The idea was to see if the scam email did in fact come after account creation. So he did.

He returned to me and told me that there was no scam email after account creation. He then handed me the ZAP report. Wait. A ZAP report? Mind blown. I hadn’t even asked him to use ZAP while checking for the scam email. I had intended to do that myself, but he went ahead and did it.

That likely doesn't happen if leadership isn't committed to security.

*By the way, ZAP wasn’t built by someone in security. It was built by Simon Bennetts, a developer. This tool was built by a developer, for developers. Security people just thought it was a neat tool.

Conclusion

Leadership support is important to the successful implementation of security into the SDLC. Tools are a wonderful way to get started with finding vulnerabilities. They are by no means perfect. As the program matures more manual and in-depth testing is needed. Training can help with that. Also, stay on top of the latest application security news. There's something new every day.

Security needs to be implemented at all stages. Which means attending developer planning meetings. Tracking project status. More importantly, understanding the business needs in application development. Interviewing and meeting with project managers and developers individually.

Finally, work with the developers and sysadmins to resolve issues. Be there as a resource and a student to their craft. Ask questions. Solve problems. Teach them the tools. It will go a long way in enabling them to be better.

This post first appeared on Exploring Information Security.

GSEC Analyst 38087

January 21, 2016

This past Wednesday I took and passed my GIAC GSEC exam. I am now officially GSEC Analyst 38087!

SANS 401 - Security Essentials and the GSEC exam are the main reason why I haven't been posting very much lately. With the course and exam out of the way, I plan to get back to postng more regularly. Before I do that, I wanted to give some quick thoughts on the course.

When I was told that I would be doing the SANS 401 course back in November, I was a bit annoyed. I was just about to start studying for the CISSP and was essentially told to forget that and focus on this course and the accompanying exam. I thought I was too good for a 401 course. I have 13 years of experience in IT. The last three and half of which I've spent in security. I didn't need some entry level training. Boy was I wrong.

What SANS 401 security essentials did for me, was fill in a lot of holes in my IT and security knowledge. Networking things such as the OSI model, TCP/UDP traffic, and so on. It also introduced me to things at a higher level such as risk management, critical security controls, and so on. I learned new things about Windows, and I've been working on Windows since NT. I also got a better understanding of the Linux operating system.

The course taught me a lot of new things, while giving me a deeper understanding of the things I already knew. It was a very valuable course for me to take and I would recommend it for anyone in security.

This post first appeared on Exploring Information Security.

CSO panel and thoughts on Cardinals-Astros breach

January 10, 2016

Last month I participated on a panel for CSO on, "The pathway to the security talent we crave." The audio and transcript from that panel is up for those who have a free account with CSO.

Former St. Louis Cardinals employee, Chris Correa, was in court for his unauthorized access of the Houston Astros database, Ground Control, on Friday. I read through the five-page indictment and shared my thoughts on Astros County in regards to how the breach occurred.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - PDQ Deploy for patch management

December 22, 2015

Patch management is one of the hardest initiatives to solve for an organization. Setting up a Microsoft Windows Server Update Services can help with Windows updates. Third-party software patching is a bit trickier. Secunia and other options are available for those with the financial resources. For everyone else I recommend PDQ Deploy.

What is PDQ Deploy

PDQ Deploy is an Admin Arsenal offering. It’s free to download and use. The free version is limited, but can give you an idea of what to expect with the program. The enterprise version costs $500 and well worth it.

The program helps to solve patch management, but it can also function as a general software deployment solution. In my previous post, I talked about EMET. PDQ Deploy is the tool I used to easily deploy EMET to my environment. Packages come pre-configured. No parameters or variables need to be set. Just download, select your target computers, and fire. If the need arises, packages are modifiable, however.

Why patch management is important

Patch management helps keep systems from getting exploited. PDQ Deploy provides a simple way of downloading third-party updates and pushing them. Yet another Adobe Flash update? PDQ Deploy it. I have so much confidence in the tool that I would deploy Adobe Flash updates during the day. Maybe not something you want to do with everything (and not something I would recommend doing the first time), but Flash deployed without issue.

PDQ Inventory ($500 enterprise version) another Admin Arsenal offering, will help with automating the process. FULL DISCLOSURE: I did not get an opportunity to try out PDQ Inventory. We ended up integrating PDQ Deploy with a different inventory software (another plus). Below is a video that walks through how to use PDQ Deploy and Inventory to setup automated patching for Adobe Flash. These guys have a great YouTube channel, by the way, that walks through several different features and functions of the PDQ products.

PDQ Deploy by itself is a software pusher. It does not check for version on the current machine. It won’t care if the software is on the machine or even needs the update. The problem with that is that it increases the attack surface on the machine. PDQ Inventory combined with PDQ Deploy will work to determine version or if it’s installed on the machine, in the first place. As mentioned earlier, PDQ Deploy has the potential to work with other inventory software. Which is beneficial if there is something already in place. If not, check out PDQ Inventory. If it's as half as good as PDQ Deploy, it's a win for you.

How to use PDQ Deploy

Open PDQ Deploy (or go to Admin Arsenal's YouTube channel).

The left pane is for navigation. The Package Library is where software packages are downloaded. Packages is where all the downloaded packages can be viewed.

To download a new package, search for the software package by Categories or Vendors. I typically searched Vendors, because I knew what I wanted (Adobe Flash gets updated a lot). For this example we’ll use Adobe to grab the Flash package. Go to Package Library -> Vendors -> Adobe. Highlight Flash and then click the Import Selected button in the top right corner. The package will download and appear under Packages. Highlight the package and then click the Deploy button and Deploy Once in the top right corner. This is also where packages can be edited or scheduled to run if necessary.

Click the Choose Targets button and select how to deploy the package. Packages can be deployed via:

Active Directory
PDQ Inventory
Spiceworks
Target List
Text File

For my test group I usually put all my IP Addresses in a text file and then pushed using the text file option. Use what is best for your specific environment. The selected machines will appear in the target window. The program will run a communications check on all the machines. Once that finishes click the Deploy Now button.

The window will close and the deployment begins. Progress can be viewed in the package view. Click on the deployment to show the progress of the deployment, and that’s pretty much it.

One final note. Credentials will probably need to be setup. To set this up, click on FILE in the top left and then click Preferences. Click Credentials in the left pane and then the Add Credentials button.

Conclusion

Patch management is a big challenge for organizations. Thankfully, PDQ Deploy can meet that challenge and may even exceed it. The program is intuitive, easy-to-use, and fits nicely in a small budget. On it's own PDQ Deploy is a powerful tool that helps get patch management under control. Combined with PDQ Inventory patch management will be a piece of cake.

This post wraps up my Blue Team Starter Kit series. Feedback is welcome. Any correct or clarification requests can be sent to timothy.deblock[at]gmail[dot]com. The introductory post can be found here.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Computer hardening with EMET

December 17, 2015

EMET is awesome.

Microsoft's Enhanced Mitigation Experienced Toolkit (EMET) is also free and adds an extra layer of protection to computers. Released in the fall of 2009, EMET is currently at version 5.2, with a 5.5 beta available for download. Each application and program on a Windows-based computer runs in a predefined way on a Windows-based OS. When malware infects a machine, it tries to take advantage of the predefined interaction. EMET attempts to hide that interaction from malicious software. This article will explore more of this idea, as well as talk about how to deploy it to an organization.

What is EMET?

When Windows XP was nearing end of support, we realized that we weren’t going to meet that date. This lead me to research ways of mitigating this issue. Soon after I discovered the EMET.

This wonderful tool added another layer of protection to our machines. The user guide has a good technical breakdown on all the protection features. The gist of it is that EMET attempts to randomize or hide how applications interact with the Windows OS. When malicious code attempts to run using a predictable process, EMET blocks and alerts on it.

EMET can be installed in the enterprise or even on a home computer. At home, simply download and install.

2015-12-17 22_12_32-Application Configuration.png

It's interface is easy to use. The main window features the ability to enable, disable, or opt-in applications to the defense features. It also shows the processes EMET is protecting. Navigate to the "Application Configuration" window by clicking the Apps button. Here is where individual protections can be enabled or disabled for applications.

These two windows are the main windows for configuring most of EMET's functionality. We'll talk more about configuration as we dive into deploying EMET.

How to deploy EMET

EMET can be deployed any number of ways. If your organization has Microsoft System Center Configuration Manager, congratulations you win! If you don’t deployment will be a bit trickier, but still painless. The article next week will cover PDQ Deploy. Which is a low-cost option for deploying EMET (as well as other software). Before EMET can be deployed some preperation work needs to be done..

I would highly recommend deploying it to a group of test users. To setup a test group, identify one user and computer from each department. The more people added to the group the better. Try to have a good relationship with these people. A relationship is key to getting prompt and informative feedback on any issues. Offer up something like personalized help for issues with EMET.

The reason for the test group is to ensure that the computers in an organization work with EMET. As great as EMET is, it can have issues with certain programs on the computer. I deployed EMET 4.0 to my organization without a hitch. I tried to push 5.0 and derped Microsoft Office and IE on all developer and mainframe machines. That was a fun morning! I resolved the issue on each computer quickly, but it caused some consternation. Do it once or twice and people will eventually forgive you. Do it more than that and it will be much harder to get new security initiatives deployed.

To configure EMET, Open the interface by right clicking on the icon in the bottom right corner of the screen. The main interface shows the protections and the process EMET is running on. Protection profiles can be imported or exported. Clicking the Import button will have some predefined profiles to use including:

CertTrust
Popular Software
Recommended Software

Start with Recommended Software.

Next, click Apps to open the Application Configuration interface. This interface allows for the configuration of each individual protection on specific applications. When an application is blocked by EMET, a small pop-up will appear in the bottom right corner of the screen. The pop-up contains information for what application and what defense fired. This is useful for troubleshooting when a legitimate application is blocked. To resolve the issue, uncheck the protection for the that application. EMET requires a reboot after each change, but the issue may be resolve after unchecking the box.

That's the general idea of configuring EMET. Each organization and department is unique. Finding the right configuration can take time.

After finding the best configuration for your organization, you'll want to have central control of the configuration. This is possible with Group Policy. Group Policy allows for control of the options on the main interface. To gain control of the Application Configuration window a logon script will need to be setup.

There are a few different ways to get the options for EMET to show up in Group Policy. There will be links at the bottom of this post leading to those options. One of the great things about EMET is that a lot of information security professionals have written about it. The method I used was to drop an .adml and .admx file onto one of the Domain Controllers.

Check the more resources section for different methods on getting control of EMET.

Conclusion

I'll reiterate the opening statement: EMET is awesome. It's free. Easy to use. There's been a lot of article and guides written on it. Best of all it adds an extra layer of protection to machines. There is some work and planning involved, but it will pay off in the end.

More resources

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Forensics with Redline

December 8, 2015

“I guess we’ll just re-image the box then” is the phrase I often used early in my IT career. That was standing operating procedure for a compromised machine. We would receive a SOC alert. We would go kick the user off the box and have it re-imaged. That is until I found Mandiant’s (Now Fireye’s) Redline tool.

What is Redline?

It’s a free tool that allows me to do an investigation on potentially compromised boxes. With the tool, I started getting a better understanding of why compromises occurred. That information allowed us to make better decisions about defenses in place. It also allowed us to provide valuable feedback to the Security Operations Center (SOC).

The tool has several features that can be useful for analysis. This article will focus on the timeline feature. The timeline collects all the log sources from the computer and puts it all in one location for analysis. This is useful for investigating incidents where an incidents specific time frame is available.

The tool also features a Malware Risk Index (MRI) score and Indicators of Compromise (IOCs). MRI is for analyzing processes and IOCs for artifact defining. Refer to the user guide for more information on using these.

Alternative Tools

Before we get to Redline, I would like to mention a few alternatives. Volatility is a tool that I hear a lot of infosec people raving about. It’s a memory forensics and analysis tool and from the sound of it does a lot of the same things Redline does. I have never used the tool, but I see plenty of professionals talking about it.

There’s also the SANS Investigative Forensics Toolkit (SIFT). Which is a VMware workstation loaded with forensics tools. It’s been awhile since I’ve used the tool. From what I remember this tool requires a little more advanced knowledge of forensics. Still, it’s another free option to perform forensics analysis on potentially compromised computers.*

*As you may have noticed by now I keep using the word “potentially” compromised computers. That’s because one of things I discovered using Redline is that false positives happen.

How to use Redline

Download and install Redline. I would also recommend downloading the user guide as well. The user guide is how I got started using the tool. It will explain the ins and the outs in much more depth than I intend to here. In fact, I recommend stopping here and just using the user guide.

Still with me? Let us proceed.

Launch Redline and, click on the “Create a Comprehensive Collector” link. This will create the collection package. Check the box for “Acquire Memory Image.” A lot of malicious activities happen in memory. Collecting what’s in memory is vital.* Next, decide where the collection package will reside on the computer. Click OK to create the package.

*When responding to an incident, disconnect the computer from the network or contain it in a separate VLAN. Avoid rebooting or shutting down. A reboot or shutdown will wipe whatever is in memory.

When a compromised computer is discovered, get the collection package on the computer. There are a few options for getting the package on a computer. Packages can be pre-deployed to all boxes in the organization. USB is another option. The organization’s environment will determine the best method for accomplishing this.

To run the package, execute the “RunRedlineAudit” batch file in the collection package. A command prompt (black box) will pop-up and begin run a script to collect all the events on the computer. The collection can take several hours depending on how much is on the computer, it’s processing power, how much memory it has, etc.

Once the script completes, open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to Sessions -> AnalysisSession and select the .mans file. Click Open. Redline will now load the session. This part of the process can take some time as well.

After the session opens, click on the option to investigate based on an external source. There are other options for starting an investigation. Refer to the user guide for explanations on these. A Timeline will appear with all events from registry changes, browsing history, event logs. A Timeline Configuration pane is available for refining the timeline. Computers create a ton of events, so it can take some time to load everything. Which is why it's a good idea to define a time period. Go to the Time Wrinkle tab and set a number of minutes before and after a certain time period. If the information available on the incident is vague, a wider time period may be needed. For more accurate time a smaller time period can be used.

For the most part, when I received a SOC alert the information I received was exact down to the second. I would use only two minutes before and after a specific time. When I didn’t have an exact time, I would go as high as 15 mins before and after. One thing to note is that the time on events is in GMT time. A conversion to GMT is needed to match the time from the incident to the computer (+4 or +5 hours).

Now go through the timeline and look for anything associated with the incident. Use Google to research any suspicious events. One incident I responded to, several users had clicked a phishing email. A block box had popped up on their machine and then went away. We ran Redline on the machines and found that an .exe had been dropped in the Windows temp folder. In other instances I would see the anti-virus or EMET step in and block the attack. Look for anything suspicious. If unsure Google it.

That's pretty much it. The process I use is very simple. It gets me the answers within a relatively quick time period and helped me make better decisions. Doing the analysis above I was able to determine when our defenses failed. I also discovered that we were being sent false positives and that the machines were perfectly fine. In those instances we could put the computers back in service with a high level of confidence. The benefits of doing that is that people aren't without machines for longer than needed. It also helped reduce workload in the IT department by reducing the number of computers that needed to be re-imaged.

The tool and its alternatives are much deeper and offer valuable information for decision making.

Conclusion

With Fireye’s Redline, security teams can make better decisions about potentially compromised computers. It’s a free tool, so it should fit nicely in the budget (no procurement process). It’s also an easy tool to pickup and just start using. There’s some good documentation and I know of at least one YouTube video available.

Of course, there are plenty of other reputable options. Volatility being the one that I see most people talking about. Whatever tool, taking the time to do some analysis on potentially compromised boxes is important. That information will provide a better picture of what’s happening in an environment. How to adjust defenses and identify false positives and just make better decisions overall.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - ZAP for application security

November 30, 2015

I remember hearing about ZAP on my ride into work, listening to Security Weekly. After a little researched I discovered that it was a tool supported by the Open Web Application Security Project. OWASP is an open source non-profit organization focused on providing better application security to organizations. The best part about the tool is that it is free!

What is ZAP?

ZAP stands for Zed Attack Proxy. Named such by Simon Bennetts who told me that he really wanted to name the tool ZAP (OWASP. Bugs. Get it?). Simon is not a security person by trade. He’s a developer and built the tool to help developers write better code. It just so happened that security people found the tool and started using it.

Setting up ZAP as a proxy allows for a tester to run through an application and find vulnerabilities. It uses the methods in OWASP’s Top 10 as part of its scan. I’ll get into the methodology of using the tool later. This automates and streamlines a lot of testing. Beware, the scanner is not perfect (no scanner is). Confirming vulnerabilities found by the tool is a very important part of the process. One false positive with developers and we lose credibility.

After testing is complete ZAP has an export report feature. The report can be exported in either an HTML or an XML format. The HTML is great for working with developers and researching and confirming each finding. With the XML format, a tool like ThreadFix or Dradis can be used to help track vulnerabilities.

The tool also has advanced features for further digging into the application. This is great as a tester gets more comfortable and better with the tool he has an opportunity to dig deeper into an application.

The alternative

The alternative to ZAP is Burp Suite. It does a lot of the same things that ZAP does with some minor differences. Burp has two versions: A community version (free); and a premium version (paid). The premium version costs $300 a year. For those looking to make a career in application security, getting familiar with Burp is a must. Learning both is a plus. Each tool has it's strengths and weaknesses.

How to get started

Download ZAP from the OWASP website and install. Launch the application. The first screen you will see is asking, “Do you want to persist the ZAP Session?” Persisting the session will allow you to close and re-open the ZAP session quickly. You can either:

YES Persist: Save it in the default directory (first option)
YES Persist: Specify the name and location (second option)
Do Not Persist: Or don't bother (third option)

If you intend to save your own sessions then select the third option.

One of the first things available when ZAP opens, is the Quick Start tab. This can be used to perform a very quick, top-level scan. To dig much deeper into an application it will need to be setup as a proxy. To do this go to: Tools -> Options -> Local proxy.

Select your settings (or leave everything default). Then open internet options. Click the Connections tab and click the LAN settings button. Under the Proxy server section check the box for “Use a proxy server for your LAN.” Make sure the Address field says "localhost" (default) and the Port field reads "8080" (default). Click OK and then Apply. ZAP is now intercepting all internet traffic. This includes any browsers or applications using the internet. I recommend running the application assessment from a separate machine or virtual machine. As a proxy it will collect all internet traffic your computer performs. Including browser traffic and any updaters installed.

Now that we’re setup, time to test.

Methodology

Run through the entire application. When I say the entire application, I mean the ENTIRE APPLICATION. Click on every link and button. Fill out every field and submit forms. This is best done in a test environment which developers should have. Coordinate with them for any functions that need handling on their end. Once the application has been explored, it’s time to use ZAP to map the rest of the application.

Before we do that though, it is a good idea to exclude any sites you don’t want to run ZAP on. Right-click any sites you want to exclude. Select Exclude From Proxy and click OK. There is some flexibility here, but for the most part I just exclude the sites from the proxy all together.

To map the application ZAP uses a Spider. Right-click the site, highlight Attack, and select Spider. The spider will run through the application and map it. The more the application was explored by the tester, the more it will find. ZAP also features an Ajax Spider attack for ajax content. This will open a browser, run through the website, and map the ajax content in the application.

After running the spider function, run the forced browse attack. This function will use a text file with common directory names to look for hidden directories. This attack can usually take several hours to run, depending on the size of the list. ZAP supports user created lists.

Active scan is run next. This is where discovery of vulnerabilities of the application occurs. The function will run through techniques in the OWASP Top 10. Clicking on the heartbeat monitor icon will allow you to watch the progress of the scan.

I want to mention one other type of attack that may or may not be used. The Fuzz attack or fuzzer. This is typically used for things like user enumeration (username discover). The attack allows for requests sent to be modified using a text file. This allows for the automation of sending many modified requests to the application. Viewing the responses we can build a list of usernames in automated and quick fashion.

Once the Active Scan completes we have a (hopefully not long) list of vulnerabilities. Export and view a report of the findings by clicking Report -> Generate HTML report. The report includes:

The type of attack
A short description
The vulnerable link
The attack
The solution
References.

Once the vulnerabilities are confirmed or rejected, it’s report writing time.

Conclusion

OWASP ZAP is a great tool for those just starting out in application security. Or those needing to stand up a security assessment program. The instructions above are meant to just get someone started with using ZAP. Both ZAP and Burp Suite provide a lot of granular control of and customization of it's features and functions. But both are very simple to use. Both are well documented (check the more resources section below).

If $300 is within the budget, Burp Suite is the tool of choice by application security professionals. I've tinkered with Burp Suite, but for the most part I've used ZAP. Free is hard to beat, but it also came in handy working with developers. As I was implementing the security assessment program in my organization, I quickly discovered that the developers were interested in the tool. That probably had more to do with managements support of the program. Still, when the developers started asking questions on how I tested, I simply installed the tool on their system. From there I showed them my techniques for performing assessments. Now, I'm easily showing the developers how to run their checks of the application before it even reaches me.

I probably could do the same with Burp Suite, but I have a few more hoops to jump through with the $300 price tag. The community version does a lot of the same things the premium does. It's just throttled. Again, if you're sure application security is where you want to be $300 is not an insurmountable amount of money. If you're still feeling out the field ZAP works is the best bang for your buck.

More resources

OWASP Zed Attack Proxy Tutorial - YouTube
Lanmaster53 - Tim Tomes (he provides training too)
The Web Application Hacker's Handbook 2nd Edition by Dafydd Stuttard
SANS web App Penetration Testing and Ethical Hacking Course

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Twitter for intelligence

November 23, 2015

Twitter is a wonderful tool for getting live streaming information from around the world. This isn’t exclusive to information security. Sporting, political, entertainment, and other types of news first break on Twitter. It's also a valuable research tool and forum to discuss security topics. This can work to the advantage of a security team that embraces the social media platform.

I first discovered the value of Twitter when the Heartbleed news broke. Initially, we thought Heartbleed wouldn’t affect us. But after finding a free scan tool via Twitter we discovered that we were dead wrong. Unsure of how this was possible we started investigating. Twitter having served its discovery purpose now shifted into a research tool.

At the time everyone was discussing the vulnerability. There were plenty of links each uniquely analyzing and explaining the vulnerability. XKCD even had a great comic on it. After gaining a basic understanding of the vulnerability we needed to confirm our findings. After some more research, we found a tool for that purpose. Twitter wasn't the only tool we used (Google previously discussed was also used), but it did compliment our efforts for understanding, testing, and ultimately mitigating the vulnerability.

There are several ways a security team can setup Twitter. We ended up creating a brand new account. This allowed us to share the Twitter feed among ourselves and various devices. We then followed as many security professionals and companies as we could find. Hashtags like #infosec are a good place to start when searching for accounts to follow. Other hashtags that can be scouted for infosec accounts to follow include:

#appsec (application security)
#dtsr (podcast discussion hash tag)
#pentesting (red teaming)
#dfir (digital forensics, incident response)
and many more.

Twitter also provides the list feature for carving out accounts that focus on an individual discipline. Simply, create a new list and start adding people to it. The great thing about lists is that you don't have to be following the account to add it to a list. This is useful for organization and to keep work from invading your personal Twitter feed constantly (if you have one). Lists are able to be subscribed to, if there's a desire not to start a new account.

Tweetdeck and Hootsuite are two options for managing multiple Twitter feeds. They allow for multiple feeds to be displayed in the browser. I typically have my person feed, personal interactions, the security team feed, and then either a hashtag or list.

If you haven’t incorporated Twitter into your day-to-day monitoring, do it. It’s a powerful tool that leverages live information on news, discussions, and tools. It’s free (which makes it affordable) and it’s simple to use. Keeping a thumb on the pulse of information security is essential for any security team.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Google for research

November 12, 2015

Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.

At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.

As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).

Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:

Using “infosec tools” I get a different set of results:

The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.

This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”

The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:

2015-11-10 11_59_50-site_timothydeblock.com NSA - Google Search.png

That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.

There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:

We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Trends 2015 presented by IT-ology wrap-up

October 28, 2015

Trends 2015 presented by IT-ology was today and I am exhausted.

Every year in the fall IT-ology selects a technology topic to hold a conference on. This year was security, so naturally ColaSec was involved in providing speakers, volunteers, and marketing for the conference. Four keynote speakers filled the morning track and 12 speakers filled the afternoon tracks, which were split into technologist, civilian, and business. I presented a talk titled, "Low cost tools for security challenges" in the technologist track.

For those coming to my site who were in that talk, here are my slides and here are my videos (from previous conferences) of the talk. I got some good feedback from in regards to the talk, which was very much appreciated.

Trends 2015 was the last time I intended to give this particular talk. The recordings are out, my slides are out there, and I'd like to move onto some fresh content. What that is, I don't know yet, but I have some ideas. Before I move onto some fresh content, I want to compliment the video and slides of my talk with some blog posts that go a little more in-depth with the tools I presented. Over the next several weeks I intend to have a post a week, with step-by-step instructions on how to use each of the tools in my talk.

Thank you to everyone that made it to my talk and any feedback is still welcome.

This post first appeared on Exploring Information Security.

Investing in the people who work on a security team

October 22, 2015

I was recently featured in an article title The support security leaders need for better cloud security on CSO Online by fellow palmettoian(?) Michael Santarcangelo. I'm working with Michael on improving my writing while exploring various topics within information security. I did not realize moving to the cloud had become such a hot trend for businesses. It makes sense, though, and is probably something that will become more excepted. After thinking about it I realized I've had some exposure to moving certain IT functions to the cloud already. It makes sense for the right technology, and the technology is only getting better, so it will make sense for more and more initiatives.

As I was researching the topic one challenge began to stick out to me. Is everyone on board, specifically those in security, with moving business and IT functions to the cloud? Talking to several IT people I work with and know, I came away with a feeling of hesitation. Hesitation or not, the business is making the call to move to the cloud and doing it at an ever increasing pace. Which is why it is important for all members of a security team to have an understanding and be comfortable with technology moving to the cloud. It is happening whether we like it or not. We could say, "no" but that just means we are being the brick wall that the business will hammer through or more simply walk around or climb over. I have come around to the idea that security needs to be an enabler of the business, but security leaders needs to become an enabler of the people on the security team.

I'm seeing a lot of managers and leaders wanting to do good things, but not finding the time to invest in their people. They are slammed with meetings and projects and spending time with the members of the security team just doesn't fit into the schedule. They were hired to do a job and that's what they'll do, plus they are slammed with a long to do list too. Here's the thing, the people on the security team have wonderful ideas, they have creative ways to solve problems, but more importantly they want to help find solutions to problems the manager is facing. If there's a disconnect all that creativity and input goes to waste.

We often hear about the talent shortage within security. The easy solution is to higher more people and get better funding. The even easier solution is to invest in the people already on the security team. Are security leaders getting the best out of their people? The only way to find out is to invest in the team, not just in training but in mentorship. Sitting down with them to understand their frustrations, provide mentorship, give feedback, and more importantly enable them to be the best they can be. Santarcangelo followed up the article above with one titled The security talent shortage and your leadership opportunity. It's a slideshow format article, which makes it a quick read and it asks some questions on what leaders are doing to address the talent shortage.

Wrapping up (because this is already longer than intended), I'm seeing security teams struggle with finding and then keeping people. As it happens, I was listening to a podcast from NPR's Ted Radio Hour titled The Meaning of Work. The episode explores how we make work more meaningful. Compensation is not something that makes work more meaningful. The environment, the culture, and the challenges are what make work more meaningful. Investing in the security team will help build a better environment and culture. Enabling the security team will help create more challenging opportunities that lead to more meaningful work. More meaningful work makes for a happier security team and a happier security team accomplishes so much more than an unhappy security team.

This post first appeared on Exploring Information Security.

More resources for IT certifications

October 20, 2015

The latest Exploring Information Security podcast episode, "What certifications are available for infosec professionals?" released yesterday and I've already started getting some great feedback from the episode.

@TimothyDeBlock Also ran across this: http://t.co/eiegAtvxls
— Tyler Neeriemer (@tyneeriemer) October 19, 2015

Tyler Neeriemer on Twitter shared with me a couple links that had certificate roadmaps in them. I really liked this one from CompTIA. The roadmap includes non-CompTIA certs and is laid out intuitively. There's also this article from 2012 by SecureState.

Feedback for the podcast and any helpful links that contribute to an episode are always welcome.

This post first appeared on Exploring Information Security.

DerbyCon talk and impressions

September 28, 2015

DerbyCon lived up to its top billing as one of the best security conferences to attend. It is amazing how much is going on at the conference the entire time. Five talk tracks, CTF competition, lock pick village, vendor area, and of course LobbyCon. And that doesn't include the evening festivities like Hacker Jeopardy, a showing of Hackers to hackers, or the two nights of concerts (DualCore and The Crystal Method). There was a constant roar coming from the lobby of DerbyCon each day from 8 a.m to 6 a.m.

The con was well located in downtown Louisville, Kentucky. Outside of the venue is a plethora of food choices and entertainment. All within a two block radius. The farthest I ventured away from the con was about three blocks for breakfast with a group of old and new acquaintances.

Speaking of acquaintances, I got to catch up with people I've meet at previous conferences, as well as meet some new ones. That is one of the best things about attending these conferences, the connections you create and maintain (and I've made a whole bunch in the one-plus year of attending cons).

Below is the recording of my DerbyCon talk and a link to my slides.

DerbyCon talk slides

I was pretty happy with my talk. I wish I wasn't so monotone, but part of that was nervousness and the other part was sitting down for the talk. I believe later speakers stood up with microphone, which is something I should have done. Sitting down to give my talk sucked some of the energy from it. Looking past the lack of energy, I have gotten good feedback on the talk. Everyone that I talked to about the talk said it was good and useful, which was my ultimate goal.

I am very much looking forward to DerbyCon 2016

This post first appeared on Exploring Information Security.

BSides Augusta gallery and pictures

September 21, 2015

Media

The gallery for BSides Augusta can be found in my Photography section.

BSides Augusta 2015

BSides Augusta, Georgia, September 12, 2015.

My Blue Team Starter Kit talk is available on YouTube.

Impressions

This was my second year attending BSides Augusta. As I've mentioned several times, this is one of the best run security conferences out there. You can tell pretty quickly that the organizers put a lot of effort and time into ensuring everything runs smoothly. This year was no different. I heard Mark Baggett tell one persont hat there were some minor hiccups in the morning. I didn't notice them. The only thing I could tell was that they overlooked the registration line. They had lines divided up into last name, but it was apparent entering the building.

Aside from that, everything else ran smooth for the conference. Speaking of attendance, the number reached 500 this year. That's up from 300 last year, which makes Augusta one of the bigger BSides events. The event is expected to grow even more as the Army continues to grow its cyber command at Fort Gordon.

I didn't get to sit in a lot of talks, but there seemed to be a pretty strong malware theme this year. Joel Esler's "2015 - It's Not Over Yet" and Wes Widner's "Lessons Learned from Analyzing Terabytes of Malware" are two such talks that stood out to me as I hoped from track to track taking pictures. But Paul Melson's "Viper Framework for Malware Analysis" and Alex Rymdeko-Harvey's "Malvertizing Like a Pro" are two more talks that deal with malware. I plan to go back through several of the session's at BSides Augusta after the baseball season is over.

If you live in the South East, I highly recommend BSides Augusta. Especially for security professionals working on a blue team. It's rare for a security conference to have two blue team tracks and I don't see that changing in the future. Put the event on your calendar for next year. I promise you won't be disappointed.

This post first appeared on Exploring Information Security.