Change Log - December 29, 2023, to January 4, 2024

January 5, 2024

This is a log of changes to the site over the last week.

Page upates:

Podcast and Website Sponsorships - I added lists and mentions of the podcast on the internet.

Blog posts:

Cybersecurity Predictions for 2024 - My predictions for 2024 because every blog has got to have them.

Launching Exploring Information Security - I talk about my reasons for launching the company and what services I offer.

New Years Resolutions: Taking Small Steps Past January 31st - Just a random post about habits and making small progress to your goals.

Exploring Information Security Podcast Format - I talk about what I’m thinking for the new format of the podcast.

Podcast posts:

The Exploring Information Security Relaunch - It’s back!

This post first appeared on Exploring Information Security.

Created by ChatGPT

Exploring Information Security podcast format

January 4, 2024

First, I’d love to hear feedback from listeners on the podcast. This post is going to deal specifically with length of the podcast. In the past I’ve tried to keep episodes to around 30 minutes. The idea being that people can listen to an episode during a commute and that they have other podcasts the listen to on a regular basis. It also allowed me to split up longer conversations so i could more easily release content on a regular basis. One conversation could be three weeks of work with some extra editing.

I think I’m going to ditch that and just let the conversations run for as long as they do. A couple reasons for that: people pick and choose episodes and reduce the extra editing. Towards the end of the podcast I started getting more insights into how people listened to the podcast. I found that I had a regular listener base but also a lot of people who would pick and choose the episode to download. For example, one of the more popular episodes was on studying for the OSCP. It was downloaded a lot. Searching the internet I found it on a lot of reddit threads as a suggestion for people studying to get their OSCP. I think breaking up the podcast makes it harder for people to listen to the content they want. They have to go through multiple podcasts with an intro and an outro.

On the backend there’s a lot of work that goes into a podcast episode. One episode of 30-60 minutes is usually about three to four hours of production time not including the recording. I have to schedule guests, research the topic to make the questions, and then do post editing to clean up and put together the audio. While breaking up the podcasts gets me more episodes it adds a little complexity to the editing process and I want to simplify that. It does mean I’ll have to book more guests but I think that adds more content naturally to the podcast and site.

Thoughts are appreciated. Hit the comment section below or reach out to me via the site contact form or LinkedIn.

This blog post first appeared on Exploring Information Security.

My Whoop stats from December 2022 to November 2023

New Years Resolutions: Taking small steps past January 31st

January 3, 2024

Not really a security topic but imagine I’m using a building a security program analogy.

I’m not a New Years resolution guy. I think January 1 is an arbitrary date and if that I’m going to make changes that stick I need to start now rather than later. I’ve started new habits in the middle of the year and on December 20th. I’ve found that I tend to be more successful when I just start. Three years ago I got a Whoop in November 2020 and it’s been tremendous for habit changes I want to make. It tracks my sleep and strain for the day using a heart rate, respiratory rate, blood oxygen, and stress levels. I fill out a journal every morning on the habits and activities that affect my recovery. I’ve discovered valuable insights that have allowed me to make adjustments for the betterment of my health.

This is one of the things to remember when making changes to your life. It’s not one month and done. It’s a journey. The Whoop has helped with my journey because it provides me the data I need to make more targeted adjustments. It wasn’t something that happened over night or even in a month and I’ve been working on some of my vices for over three years. It took my seven years to quit smoking in my 20s. I did that with small steps.

It’s the same thing for any habit change. It requires small progressive steps. Some people can quit cold turkey or make drastic changes. Good for them! I’m not one of those people, unfortunately. For me it’s small changes that help me make life changing habits. There’s been set backs. A lot of setbacks!

If you’ve set a New Years Resolution that’s great! Making changes is hard. I would advice patience and the acceptance that there will be set backs. If there is a setback work to get back on track. If you keep plugging away it you’ll get better and be healthier for it. Health is very important not only for yourself but also for your career.

This blog post first appeared on Exploring Information Security.

Launching Exploring Information Security

January 2, 2024

Starting January 2, 2023, I will be offering a set of services as Exploring Information Security, LLC. Check out the Services page for a full listing of what I plan to offer. I am offering a variety of services based on my skillset, past experience, and where I think I can be most effective helping people and organizations.

I have researched and established rates but I’m willing to negotiate lower rates based on demand.

Why the move to self-employment

I had an opportunity to start monetizing the Exploring Information Security podcast back in 2019. I was starting to have people from vendors reach out to me about hosting a guest. I had some conversations about but I still had a full time job that I enjoyed and had recently been promoted into management.

As I discussed in my final episode, I decided to shut the podcast down because management was a very stressful job. I was compensated well enough and wasn’t really looking for another source of income. I also wanted to spend more time with my family. I had spent less time with them so I could develop my career and get us to a better financial situation.

Fast forward several years, I am at a transition point in my career. I have enough money saved up that I don’t need to immediately find a job. I had planned to launch this last summer but I had an opportunity to join some friends at Antigen and see the inner workings of a startup while I helped get them through the busy season of incident response. I am very grateful for that opportunity and it gave me time to further refine Exploring Information Security.

I am still looking for a job and if you’re interested in chatting reach out to me on LinkedIn.

What are the services

Looking back over my career, I realized I really enjoyed being an educator and building out programs and processes that helped an organization be more efficient and effective. With that in mind the services I am offering are built around that. I am throwing several different services out there to see what will stick.

Sponsorships

This is for vendors who are looking to expand their brand. I’ve got several ways of doing this via the podcast and website. An existing or upcoming show can be sponsored. My podcasts are meant to be timeless and I’ve found that people don’t listen to the podcast in order. They pick and choose whatever podcasts interests them. Sponsoring a show means the ad will run for a much longer time.

Ads are short advertisements prior to or during the show. If a pre-existing show is sponsored I will edit and re-add so it gets refreshed in feeds. Another option is to produce an episode specifically for the vendor. A guest from the company comes on to discuss a topic that relates to a product or service. You can also hire me to run your podcast or webinar panels.

For the website, vendors can sponsor specific pages, blog posts, or the website overall with a banner ad. This can be things existing or I can create the page. Rates are based on effort and other factors.

Hit the contact button if you’re interested in these services.

Contact

Education

I’ve presented at several conferences and local user groups over the years but I’ve done even more inside organizations. I always like putting together presentations that are engaging and help people learn about security. The website is a reflection of that. Security Awareness is something that I think is very important for an organization but every time you bring it up to people they don’t have a good experience with it. I want to change that. I want to make content that is engaging and is something people will engage with more.

Coaching is something I’ve done a lot of as a manager and as a mentor to people in the space. This is why I’m offering Cyber Security Coaching services for individuals and organizations. I’ve had lots of conversations with people in management that are struggling to upskill there staff and I believe I can help with that problem.

Management is something I’ve done for over six years. It’s where I always wanted to be in my career and I spent a lot of time studying and consuming podcasts on the topic. It’s something I’ve been very good at as I’ve been able to retain people and get the most out of them. I knew that once I got into management I needed to shift my mindset from a doer to a delegator. My results were going to come from my team not from what I did.

There’s a talent shortage but managers can get more out of there people and do so without increasing the work week. I’ve done it and I’m happy to share how I’ve done it as part of Management and Hiring Consulting services. You can also review the management resources page on the site. It’s all my “secrets” to management. If you don’t have time for that click the contact button.

Contact

Security Consulting

I’ve built lots of programs and processes over my career. Many of them are still running today. I build programs to outlast me. My specialization is application security, vulnerability management, and security awareness.

I’ve implemented an application security program that got vulnerabilities down to zero for existing applications in 6 months. I’ve also improved security in cloud environments taking security scores in the 20% and getting them to over 90%.

I’ve built a vulnerability management program that reduced vulnerabilities in the environment by 86% in the first year. After a few years vulnerabilities in the environment were below 20 thousand after starting at over two million.

I’ve conducted security awareness training at lunch and learns, town halls, secure code training, and post incident sessions. I’ve also built a phishing program that phishing 6000+ employees monthly and reduced click rates and increased reporting rates by over 50%.

I have experience in other areas such as security engineering, pentesting, security operations, governance, risk, and compliance. I am a generalist with a wide view of security and how it can make the business better. Contact form is below.

Contact

Speaking Engagements

I enjoy taking a complicated topic and breaking it down into understandable and actionable terms. I’ve been doing this for several years both at conferences and internally at organizations. I think presenting is an art and that content can be engaging. Which is why I’m offering up my services for conferences or internal events people would like me to attend. Along with podcast services I’m willing to run a podcast or moderate a webinar panel for organizations as part of their marketing initiatives.

Contact

Donate

I’ve gotten a lot of great feedback over the years on the podcast. I’ve heard from professors who assign their students podcast episodes to listen to for homework. I’ve had co-workers let me know they listened and enjoyed the show. I’ve had people in the industry reach out to me to ask when I was bringing the podcast back. Today is that day and I’m excited to make a small impact on the industry!

For people looking to support the podcast I’ve setup a way to donate. The more donations I get the more opportunity I have to focus on developing great content for this site. Click the donate button to show appreciation and help me focus on producing content for the site.

Donate

Review

To review, I’m excited for the opportunity see if I can make Exploring Information Security a sustainable company. To this day I still meet people who used to listen to the podcast and I’m often asked if I’ll be bringing it back. That day is to day!

I want to keep this going even if I end up having to get a job. Launching it with services will hopefully make it sustainable and allow me to regularly produce content and build out the website. For individuals looking to contribute I have setup a place to support the show by donating money. I may down the road add a subscribers portal but the podcast and the content on this site will always be free. I want this site to help people grow and develop their careers and tackle the difficult problems in the information security space.

If you’re interested in services or just want to drop a note our question reach out by filling out the contact form below.

This post first appeared on Exploring Information Security.

Contact

Cybersecurity Predictions for 2024

January 1, 2024

Here are my predictions for 2024.

Exploring Information Security relaunches

I will be launching Exploring Information Security as a company in 2024. I may or may not have some insider information. I’m in a bit of a career transition and I have the opportunity to try turning this idea into a company. More details to come.

New buzzwords

I asked ChatGPT for some 2024 buzzwords. A couple of my favorites include:

Cyber Resilience: Focusing on an organization's ability to continuously deliver the intended outcome despite adverse cyber events.
Regulatory Compliance Tech: As regulations around data privacy and cybersecurity tighten, technologies and solutions to aid in compliance will be crucial.

Cyber resilience is an interesting one because I’ve worked in the Incident Response space for the last several months and the difference in backup plans for a ransomware attack varies by company in the small to medium business market. Some have a plans on how to continue to operate while others have zero ability to operate while down. This is basic disaster recovery planning and it doesn’t have to be malware it could be a natural disaster. I expect ransomware will become more of a topic in disaster recovery planning.

ChatGPT gave me plenty of AI buzzwords and I think that’s what we’ll see more of in 2024. AI will be thrown in everything even more than it was before. I imagine some form of AI defense or AI security will emerge as well because it’s a bit of a hot topic.

More breaches reported earlier and then updated later

As I recently wrote last week, Okta and 23andMe A New Public Relations Tactic in Disclosure? I suspect companies will report breaches sooner with limited information and then update later. First impressions are a hard thing to overcome. This is something companies will look to exploit as they try to control the public relations narrative.

On the less cynical side the new SEC incident disclosure rules are in effect and companies have less time to report on a breach. This could mean companies are reporting with less information and then need to update later. We’ve already seen a ransomware gang try to use this new disclosure rule to their advantage by filing a complain with the SEC because the company refused to negotiate.

Social engineering continues to make a comeback

With groups like Scattered Spider and LAPSUS$ emerging over the last couple of years I expect there to be more social engineering based attacks to get into an organization. We saw it in the second half of this past year with the MGM and Caesar and Okta hacks. The Verizon Data Breach Investigation report highlights the human element every year. We are the most susceptible systems to an organization. Everyone can be manipulated in some way.

Finally, AI will start to have a large impact on the workforce

AI is here to stay and I can tell you from experience that it is very useful. It will change society significantly over the next 10 years. Next year is going to be a big year. 70-80% of this site is built with the help of AI. I would not have been able to put up as much content without it. It’s been a great learning opportunity.

Development and documentation based professionals will be impacted the most this year. People not use it will put out more work than their co-workers. People that don’t will be let go because they won’t be needed. Developers are already using it to start code and build unit tests. GRC folks can write 10 policies in a matter of just a few hours. I did it for a company last year. Whatever field you’re in, I’d recommend starting to get familiar with it now because the next generation of professionals are already there.

What are your predictions for 2024? Leave a comment below.

This blog post first appeared on Exploring Information Security.

Change Log - December 22-28, 2023

December 29, 2023

This is a log of changes to the site over the last week.

New pages:

Services page updated

Added Podcast and Website Sponsorship page added - details sponsorship opportunities for the podcast and website
Security Awareness Training page added - details security awareness training the company offers
Cybersecurity Consulting page added - details consulting services for the cybersecurity space
Cybersecurity Coaching page added - details on services for cybersecurity coaching
Management and Hiring Consulting page added - details what services are available for management and hiring consulting.
Speaking Engagements page added - details services for speaking at events.

Blog posts:

Web Application Testing: Portswigger Burp Suite vs OWASP ZAP - I talk about my experiences and view on the two testing tools.

This post first appeared on Exploring Information Security.

Web Application Testing: PortSwigger Burp Suite vs OWASP ZAP

December 28, 2023

Both OWASP ZAP and Portswigger Burp Suite are exceptional tools designed to identify vulnerabilities in web applications. I’m one of those oddballs that prefer ZAP over Burp Suite. Most (95%) of penetration testers and application security engineers prefer Burp. We’ll dive into the history and differences below.

History

OWASP ZAP is an open-source web application security scanner. Ideal for beginners and intermediate users, it offers an intuitive user interface and a wide range of features. ZAP is particularly known for its active and passive scanning capabilities, spidering, and a powerful REST-based API. Being a community-driven project, it's continuously updated with new features and security tests.

I started using ZAP when I was asked to stand up an application security program for an agency I was employed at in South Carolina. I knew nothing about application security but quickly found the Open Web Application Security Project (OWASP) and a free tool for testing applications the Zed Attack Proxy (ZAP). With the tool I found my first vulnerability, blind SQL injection, which kick started the application security program at the agency. Nearly a decade later the developers are still using ZAP to test their applications prior to it going to production.

According to ChatGPT:

Burp Suite, developed by PortSwigger, is a more comprehensive suite of tools. It includes an advanced set of features like detailed manual testing tools, automated scans, and the ability to save and resume sessions. Burp Suite comes in various editions, with the free version offering basic functionalities, and the professional version providing more advanced capabilities.

This is the view of most professionals within the testing space of security that I’ve interacted with. A lot of this comes from the history of ZAP which was a fork of another open-source proxy called Paros Proxy. Development is no longer done on Paros but ZAP is still being developed and has a lot of community support.

A lot of the features mentioned about by ChatGPT ZAP has as well. The tools are 90% the same with some slight nuances in functionality. Either tool will test an application sufficiently.

ZAP vs Burp

ZAP was written by a developer named Simon Bennetts. I had the pleasure of having Simon on for the eighth episode of Exploring Information Security. I’ve used Burp throughout my career. First as part of training courses such as Tim Tomes’ Practical Web Application Penetration Testing (PWAPT). I tried it as part of my day-to-day work but I would usually fall back to ZAP. I found the interface of ZAP more user friendly and I’ve heard people who prefer Burp confirm that they liked some of the organization of the interface.

Burp is still a fine tool it just takes a little more time to get used to the interface. Having used ZAP that was just my preference. I’ve used both in assessments and found the findings very similar. The plugin ecosystem is a more robust but ZAP has plugins and they are kept up-to-date regularly. Both are well documented tools and easy to go through and learn. Portswigger offers a lot of free online resources for learning how to use the tool better and is probably a large reason why a majority of testers use it.

I like ZAP for developers because it was written by a developer and it’s free. Burp has a community version but it’s automated scanning is rate limited unless you have the paid version. You can get the testing done it just takes longer. One of the features I’ve heard proponents of ZAP appreciate is the Forced Browse feature which does a good job of finding directories in an application.

Final thoughts

Either tools is good for testing web applications. It really comes down to preference and the situation a person is in. If you’re looking to get developers more involved in testing ZAP is a great fit. If you’re looking for a specific plugin for testing Burp will probably have it. Results are going to be very similar.

What’s your preference for web application testing tools?

This blog post first appeared on Exploring Information Security.

Created with the help of ChatGPT

Change Log - December 15-21, 2023

December 22, 2023

This is a log of changes to the site over the last week.

New pages:

MGM and Casears Hack - Page giving a summary of the attack and impact.

23andMe Hack - Page giving a summary of the attack and impact.

Okta Hack - Page giving a summary of the Okta hack from October 2023

Blog posts:

Log4Shell, is it really an issue at this point? - Blog post on my experience with Log4Shell and it’s actual severity.

Okta and 23andMe a new public relations tactic in disclosure? - Blog post asking if PR firms are trying a new tactic to take the heat off a brach.

Tips to Help Build Strong Relationships Inside and Outside of Work - Blog post on techniques for building better relationships.

Other:

Services page - updated and added more of a description overview.

This post first appeared on Exploring Information Security.

Tips to help build strong relationships inside and outside of work

December 21, 2023

I love the saying from Manager Tools.

“There are three types of power? Technical power, role power, and relationship power. Relationship power is 75% of the power in an organization”

I quote it a lot to people when I’m having discussions about organizations.

Building relationships with people internally is what has allowed me to be successful in my career. We cannot do it all on our own. The techniques for building relationships apply both internally to a company as well as outside of the company at networking events. Her are some of the things I have done to build strong relationships inside and outside an organization.

How to build relationships

Ask questions

The number one thing I use to build relationships is ask questions. Then I follow that up by actively listening to the answer and asking more questions.

People’s favorite subject is themselves. Getting them to talk about themselves makes them feel good. If you are asking the questions you are the reason for that feeling. People will pick up if you’re being inauthentic, so it really helps if the questions are coming from a genuine curiosity. Look at them and hear what they’re saying and ask follow up questions to what they have just said.

When I first started doing this it was pretty hard. I liked to interject my own commentary. As I worked on it it eventually became easier. It is okay to interject here and there but talking less and listening more overall will help endear you to people quicker.

This was the tool I found most effective working with developers. Code is a developer’s baby. They create it. They nurture it. They get frustrated when it doesn’t pass tests. They may have dropped it once or twice. It’s their baby though and coming in and calling it ugly (even if it is ugly) isn’t going to make many friends.

This is where questions help. Developers lit up when you show an interest in their code (baby) and they will tell you everything about it. This helped me understand the code better. Why it was written the way it was written and allowed me to have tough conversations with them when it was causing problems. I had built that trust and they knew I was only trying to help them make the best code possible.

Spend time together

When you spend time together there’s a bonding that occurs. This builds trust and allows for people to get to know each other better. I’ll go to lunch with people if asked or I’ll ask others if they are interested in going to lunch. It’s a great way to just have a normal conversation outside of work. Asking questions gives insight into the person.

If money is tight, this can be done at work. If there’s an open spot a table ask to join (asking questions again ;). If it isn’t often people will tell you to pull up a chair and join them anyway. Worst case look for someone else to sit with. People that are sitting by themselves usually won’t mind company.

stay in touch

Make sure to stay in contact with people. This became harder with the pandemic and everyone working from home. Often I would reach out to them if we hadn’t chatted in a while and I was in a meeting with them. I’d shoot them a quick IM saying hi and asking how they were doing.

The Allen Curve is a study from the 1970s that described as distance increased between engineers communication became less frequent. If you are wondering why CEOs want people in the office it’s because of The Allen Curve (a future blog post).

I’m surprised at how many people are not familiar with this idea. Regardless, as distance increase communication decreases. It makes sense. When you were in school you stayed in contact with your classmates more often. As people moved the communication between people became less frequent. You may have experienced this during the pandemic with coworkers. The person you got coffee with every morning and chatted about work or real world events you no longer communicate with on a regular basis. I’ve seen this apply with people just switching floors or moving to a different part of the building. The distance doesn’t need to be far for communication to drastically decrease.

If you are back in the office walking around can be a good way to stay in touch, as well as get a little exercise and a break from the computer. Working remotely is tougher. That’s why I set up reminders to connect with people every so often. This can be a week, month, months, or several months.

Reciprocity

Give without expecting something in return. First, this is a great feeling to just give without expecting something in return. Letting go of the return also helps with any frustration or anger that might occur from not getting something back. This can feel difficult because we all would like to think people will return the favor but it is something that can be practiced. Most people will want to return the favor. It might not be immediate but it will come at some point. Some people won’t return the favor. Either way we learn something about that person. Be careful to identify what people consider a favor because we’ll all have different ideas.

The five love languages is a great resource to read and understand. Some people just want help with their work. Others will want gifts or money compensation. Others will want praise. Understanding what drives people will help better understand what they may give in return.

I enjoy helping others and would rather someone help me than give me a gift. I would often look into help desk tickets for others and try to push them along if I could. This was a small effort for me but paid off when I needed something from these same people. Often, because I had helped them they would return the favor.

Be yourself

Be genuine and authentic. People can tell if you’re just there to get something out of them. If someone determines another person has or is trying to manipulate them the relationship is toast. Be who you are and don’t try to be someone else. You can work to make positive changes in your behavior and habits but ultimately we’re all who we are. I’ve struggled with being myself. I want everyone to like me but that just isn’t possible. I’ve tried being someone else for people and it doesn’t work. I have improved how I interact with people but ultimately I have to still be true to myself and accept that I won’t connect with everyone.

Easy to start habits

Two techniques I like to tell people to start with is using people’s name and saying thank you. Again, people are their favorite subject and hearing there name is a good feeling. You’ll have to identify what and how people liked to be called. Don’t just shorten people’s names because some people like being called by their first name. Some people like using their middle name or nickname. It is also a great way to start a conversation.

Say, “Thank you!” This is so easy to do and one of the least used techniques in the workplace. Say thank you to people for their work. Say thank you for getting you something. Say thank you for sharing their insights. It’s so easy to do and something people don’t hear enough.

Summary

Relationships are a very powerful thing. They can help advance a career and they can help get a job. To build a strong relationship, make it about the other person. Ask questions and spend time with them. Give without expecting something in return. This can feel very difficult because we are very transactional and want to get what’s rightfully ours. Most people will return the favor. The ones that don’t you will still learning something about them.

Finally, Be yourself and start small. Be who you are but realize you can make improvements to your behavior and habits. One of those can be by using people’s name and saying “Thank you!” for something they’ve done. Gratitude is a powerful thing and makes you and the other person feel good.

How do you go about building good relationships with people? Leave a comment below.

Resources

If you want to learn more about social engineering check out my GitHub page, Social Engineering for the Blue Team. You can also click on Social Engineering page or reach out to me directly with any questions you may have.

Social Engineering - Deep Dive

Contact

This blog post first appeared on Exploring Information Security.

Okta and 23andMe a new public relations tactic in disclosure?

December 19, 2023

I’m starting to wonder if we’re going to see a new tactic for US based companies where they report an initial breach and then report the full extent of the breach later at a more opportune time.

We’ve already seen this whether intentionally or unintentionally with the breaches of Okta and 23andMe. Both reported a small amount of their use base was impacted. Then several weeks later came out and reported it as much larger. It would be an interesting tactic especially since the new SEC rules are now in place as of December 15, 2023, requiring companies to report a material cybersecurity incident within four business days.

Public Relations (PR) departments have always looked for ways to limit the impact of a breach hitting the news wire. They’ll often release bad news on holidays or around other major events. Caesars did while the MGM breach was hot in the news cycle. They released their own breach by the same threat actor. A couple months removed and most people only remember the MGM breach.

I’m in the security news bubble so it’s hard to say if this tactic is working. Okta is a company that’s in the security space so most people outside of security don’t care about it. 23andMe is a DNA testing service for health and ancestry discovery and it’s still early to determine the effectiveness of their PR mitigation.

Looking at it from the companies perspective, we have asked for more transparency from companies on breaches. That could be what we’re getting here. They’re providing additional information for disclosure purposes and education purposes. Being honest and conscientious is not always reward in the media. There are companies who will do the right thing but are others who will not.

I think it is a new tactic and I’ll be curious to see if more companies start trying the strategy of releasing an initial compromised and then coming back later to, “correct” it. Especially, in the case of 23andMe who has decided to update their Terms of Service to include litigation protection for themselves. It just looks bad.

This blog post first appeared on Exploring Information Security.

Log4Shell, is it really an issue at this point?

December 18, 2023

I thought reading the Veracode State of Log4j Vulnerabilites: How Much Did Log4Shell Change? by Chris Eng would be a bit of FUD (fear, uncertainty, and doubt). I was pleased to see that it wasn’t. They provided some great numbers on Log4J and remediation efforts. I was also happy to see them recognize that developers fix vulnerabilities when alerted about them quickly. This is something I talk about a lot in my presentations and with security folks. Developers want to get this right and having right approach and empathy with vulnerability management will get them to buy into these efforts.

The next line though says that the data contradicts the developers response because there is so much Log4j out there. Reviewing the CVEs in the article most of the remaining Log4J is in other packages. This is a problem with packages and open source. A package can be buried in another package. This was highlighted several years ago with the left-pad incident. A disgruntled developer removed a small bit of code that added a left-pad to the side of a website from NPM. It took down thousands of website because that line of code was buried in other packages.

This is why security needs to take a balanced approach to vulnerabilities and not lean only on severity rating. We need to be building proof of concepts. The reason why Log4j was such a massive thing was because it was buried in other packages. While it might be in another package it might not be used or accessible by attacker. In the case that it was it’s important to understand what it gives an attacker.

This is where the balance comes in for security. Just because the vulnerability is an 8-10 severity doesn’t mean that’s it’s actual severity in each environment. If it’s note exploitable it’s more like a 1-3 severity. Which moves it down the priority list of vulnerabilities of which there are usually hundreds of thousands.

Don’t get me wrong you want to get those vulnerabilities addressed but the timeline for getting them addressed changes. When I was leading the effort for Log4j remediation in our environment we used the pentest team to find what was exploitable externally. After remediating those vulnerabilities we looked internally. Most vulnerabilities could be patch but internal couldn’t be updated immediately and required a larger upgrade to accomplish. This is where we established timelines with those teams to get the vulnerability remediated because we knew what needed addressing immediately and what could take more time Just a blanket patch it all now would interrupt business processes, projects, and create hard feelings.

It’s good to note that Log4j is still out there and probably extremely important for companies to patch. Security needs to identify how much of it is actually vulnerable and work with other departments and teams to figure out the best timeline. Development teams need to be focused on more immediate issues such as the Atlassian server having a vulnerability or the latest malicious NPM package. Those are more important than a two-year old vulnerability that may or may not be exploitable. If it is exploitable go patch now!

Chucking vulnerabilities over a wall to developers is never a good strategy and will waste a lot of time and effort and degrade trust between departments.

If you are in need of consulting services on vulnerability manager or application security click the contact button below and reach out. I’m happy to have a conversation about your struggles and identify how I can best help.

This blog post first appear on Exploring Information Security.

Change Log - December 8-14, 2023

December 15, 2023

This is a log of changes to the site over the last week.

New pages:

Management Resources - This is a page for management resources.

Security Policies - A page with security policy templates that can be download and used within your organization

Podcast posts:

ColaSec News - November 2023 - This is an experiment I’m toying around with as a regular segment and a return to podcasting.

Other:

Added a new open source section and tool to the API Security Resources page

Open Source:

Swagger Jack: sj is a command line tool designed to assist with auditing of exposed Swagger/OpenAPI definition files by checking the associated API endpoints for weak authentication. It also provides command templates for manual vulnerability testing.

I am going to start up a newsletter for the site. Fill out the form below if you’re interested.

This blog post first appear on Exploring Information Security.

Free security policy templates available for download

December 13, 2023

When I started up this website last summer one of the first things I was asked about was creating security policies for a company that didn’t have any. I thought it would be a good opportunity to try out ChatGPT and the results were very exciting. Within a couple hours I had ten policies for a small business that needed them as part of a security review. I had them review and then had them sign them.

ChatGPT provided me the first draft and then I edit and customized it to the company. For large companies this isn’t a big deal but for small companies that need security policies this is a good first step. I’ve decided to release the templates I made on my website. Feel free to provide any feedback in the comment section below.

As I’ve written before, I think AI is going to have a huge impact on society similar to computers or mobile phones. Specifically, in the security space it will impact anyone that creates documents like policies.

You can click the link below to access the policies for download. If you need help with your policies or need other consulting services click the contact link below and fill out the form.

This blog post first appear on Exploring Information Security.

Security Policies

Contact

Interesting security reads: AI, Typosquatting, and Okta

December 5, 2023

Increasing transparency in AI security - Google Security Blog - Interesting article on AI security and how it falls pray to the same supply chain attack as the development lifecycle. It goes over how Sigstore and SLSA can help improve the security of the AI development lifecycle.

Have I Been Squatted - This is from the Risky Biz News and looks like a very interesting tool for companies looking to identify if they have any domains being typosquatted that could be used for phishing attacks.

The Okta story continues - Krebs on Security - The plot thickens. All Okta customers were impacted by the breach. Full name and email address were stolen. This is valuable information for attackers looking to phish IT administrators that have permissions into their Okta tenant.

IceKube - WithSecure Labs - This is an interesting tool recently released that checks Kubernetes environments for attack paths. Then it provides a graph as a visual that allows you to see the attack path. This could be very useful for teams looking to understand an environment.

Guidelines for secure AI system development - National Cyber Security Centre UK - AI is a bit of the wild west at the moment but as governments get a better handle on the technology they’ll start putting regulations and controls in place. Guidance is usually the first step and it’s worth paying attention to if products or companies are starting to use AI in a specific company or globally.

This blog post first appear on Exploring Information Security.

Implementing Dynamic Application Security Testing (DAST) Tools into the SDLC

December 1, 2023

One of the questions that always came up at the end of my API talk was around Dynamic Application Security Testing (DAST) for APIs. I mention DAST in the talk but never really went more in-depth due to time constraints. The questions usually revolved around vendors. In this post I want to talk about how DAST works, I’ll mention vendors from my experience, and finally I’ll go over implementing DAST in the Software Development Lifecycle (SDLC).

HOW IT WORKS

DAST tests an application when it’s stood up and running, usually in a test environment. The test itself looks for the low hanging fruit because it’s running automated tests with no context or awareness of the business function of the application. It will run the same test against a finance system as well as an operational system. This tool is not a replacement for manual testing.

The tool will simulate what an attacker might do to an application. It will check for injection vulnerabilities and weaknesses within connections and protocols to the application. Again low hanging fruit so it will struggle with more involved techniques and misses simple things like URL enumeration and other abuse cases. Overall this tool is a great starting point for applications as it’ll capture a lot of the low hanging fruit but it won’t go much more in-depth than that.

Vendors

OWASP has a list of Vulnerability Scanning Tools AKA DAST available. The main ones I usually recommend are Tenable, Rapid7, and Invicti because I have familiarity with them. I always recommend evaluating multiple vendors before deciding on one. If you’re needing a DAST because of compliance reasons, I’d suggest Tenable or Rapid7 depending on which vulnerability management suite you already own.

If you’re wanting something for more than just compliance look at Invicti because that’s their only focus. This allows them to focus solely on the DAST technology. A Tenable or Rapid7 is looking at providing other security solutions not just DAST. From a low-cost perspective OWASP ZAP or BurpSuite are two free options that can be run manually or setup to automatically run in a CI/CD pipeline. The cost here is a resources time for learning and setting up the open-source tool.

IMPLEMENTATION

DAST is the easiest application security tool to setup in an SDLC. You need a URL, some login credentials, and a timeframe to scan. I recommend scanning as close to production as possible. Scanning in production is never a good thing because it’s throwing a lot of malicious types of attacks at an application. This can cause issues such as taking down the application or putting a junk data into your production environment databases. Scans can be setup to not be as aggressive but then it ends up missing vulnerabilities.

Scanning in a User Acceptance Testing (UAT) allows scans to run at the most aggressive level and not impact production. That is as long as the database isn’t shared with production. The only catch here is finding a time to run the scan so it doesn’t impact user testing. Scans can be setup to run in the afterhours.

The frequency of scanning should be based on how often code is released to UAT. If development is on two-week sprint then it’s reasonable to setup scans to run every two weeks. Some industries only require scanning applications once a month and that’s fine as well because as the vulnerabilities are addressed the need for DAST becomes less important.

Boom! Done!

Not so fast my friend!

Now that we’re scanning we need someone to look at and tune the results. This person should ideally be someone with application security experience because they’ll need to understand how the application woks or willing to dive in and learn. DAST has false positives. Not as many as a Static Application Security Testing (SAST) tool but it will have some. If results are taken from a DAST tool and sent to developers without any sort of vetting it will either tick off the development team or not get addressed. Often times both scenarios are the response.

If an application security person or someone willing to learn isn’t available then setting up a meeting with the development team to share findings and ask questions will go over a lot better. Developers are good people and love talking about their code (baby) and they’ll want to make sure it’s protected from the bad guys on the outside. This meeting will need to be a regular one for any new applications loaded into the DAST. As the vulnerabilities get tuned or addressed the meeting can be less frequent. As trust is built the meeting can become an email unless there’s some misunderstanding or a more complicated vulnerability needs to be addressed.

Summary

DAST is easy to setup but it’s the last tool to be kicked off. As more security tooling get’s implemented and the program matures the importance of DAST becomes less. It’s still a great starting point for any application security program. Always evaluate multiple DAST vendors. If it makes sense to go with a DAST that is already part of a suite of other tools then go with that.

The strategy for implementing DAST is the same for web applications as it is for APIs. You won’t see as many results for APIs because their use is more restrictive than a website. The main concern with APIs is authentication and authorization issues. DAST will be able to call out weak protocols but it will not be able to identify if a person has the access they need. Remember to work with the development team on getting DAST setup because their help will be needed for addressing vulnerabilities.

If you’re looking for an API vendor focused on testing, I’d recommend 42Crunch.

Drop a comment below if there are any questions or other topics you’d like me to cover. If you’re interested in services I have sponsorship, consulting, and speaking engagements available. Reach out via the contact form.

This blog post first appear on Exploring Information Security.

Why Taking a Break is Important

November 29, 2023

Because we all need opportunities to recharge our brain. Even Bill Gates took a week off twice a year to recharge. I like to take a week in the spring and one in the fall just for myself to recharge. I usually play golf and video games during that week. I’ve found I’m stressed leading up to that week and recharged after the week. This is outside of family trips and vacations which can add a crinkle to taking time off if paid leave is limited. I’ve been fortunate to work at companies where I have quite a bit of time off and I can work from anywhere so I can maximize the time-off when I get there.

At one point I thought some friends and other people I knew who seemed to work all the time were different but eventually they burned out too. I do think tolerances are different and some people need less time away from others but we all eventually do need some time to unplug. And this isn’t going on vacation and answering emails or responding to alerts. It’s getting away completely. This was recently reaffirmed to me in my current role at an incident response company.

Notifications are the devil. Leaving notifications on is very much death by a thousand notifications. In my current role I’ve had email and multiple IMs on at the start. I’ve since reeled that in to just IM notifications and direct mentions specifically because no time of day or weekend was safe. Each notifications requires brain energy. It’s like running a car if you leave it on even in park it will run out of gas. That’s why turning off the car and in this case notification saves some of that energy for when I need to make a trip.

As a leader I need to be conscious of it because I impact a lot more people at work. I remember delivering a performance review to someone in January and they were a little surprised at the exceeding expectations review I gave them. They told me that at the end of the year they were wondering what they had done wrong to tick me off. As I reflected I realized I was burnt out during that time. While I tried to put on a nothing wrong is face and I don’t yell at people it was still pretty clear to the people that reported to me (and probably those that didn’t) that I was in a fowl mood.

I also need to be watching out for my directs and ensuring they’re in the best state mentally. Again, some people are better at it than others, so identifying the people that need to be told to go on paid leave is important. People earlier in their career are usually the ones that will work until they have some sort of breakdown. I know I was and to a certain point I still am based on what happened as a manager. Coming from a military background and getting into the private sector I expected to be told when to go home sick and when to go on leave. By the way if you’re sick go away and if you’re in an office go home.

I had 60 days of leave available when I left the Navy. Now I did take that as terminal leave and enjoyed my last two months of service playing World of Warcraft: The Burning Crusade but it highlights that I really wasn’t taking time for myself. As we get older there are more and more stresses added to our life and career. Starting a family or having family members to take care of takes it’s toll. As we advance in our careers we get better at what we do and gain wisdom from our experiences but new problems like politics and health problems start to creep into our world. It’s more important than ever to make sure we are taking breaks to ensure we’re performing at our best.

This blog post first appear on Exploring Information Security.

Meeting Dug Song - some guy who started up Duo Security

November 27, 2023

Recently at misecCON I had the pleasure of meeting Dug Song at the speakers dinner. He was the opening key note and I was the after lunch presenter on API security. When he walked in I had no idea who he was outside of being the keynote speaker. As I was scooting down to make room for him I got the sense that the guy sitting next to me was disappointed. I asked him as much and he confirmed that he would love to be sitting next to Dug and that he might fanboy a bit over me.

Something you should know about me is that I’m a bit oblivious at times. I try to treat everyone the same whether they’re a new person in the field or a rock star. And by rock start I mean a literal rock star. I’ve sat at dinner across from Neil Fallon from Clutch and had a genuinely pleasant conversation. Dug and Neil are people too and they wouldn’t be sitting with me for dinner if they weren’t down to earth.

I’m writing about this because I’ve recently started reading “The Daily Laws” by Robert Greene and I think today’s entry fits perfectly, “Assume You’re Misjudging the People Around You.” It’s a great reminder not to jump to conclusions about people. Throughout my career I’ve had people I thought were mentors suddenly stop communicating with me. I’ve also meet people that didn’t leave a great impression on me come around later in my career and make a great impression. You just never know in your career which is why it’s important to remain humble and not make assumptions about the people you meet.

What I loved about my interaction with Doug was he seemed to foster this mindset. He was very gracious and patient when I asked questions about whether he knew about MiSec (he’s the founder of the Song Foundation) and if he had ever been in startup (Duo). He also tried to steer the conversation away from him asked questions of the others sitting around him at the table. We had some great conversations about a lot of different things inside and outside of security.

Networking is huge for anyone in a career. Go out and meet people but avoid making assumptions about people. Give everyone an opportunity because you might end up finding a really great person to connect with.

This blog post first appear on Exploring Information Security.

Social Engineering is making a come back

November 21, 2023

History always seems to repeat itself.

History of social engineering

Ransomware has been around since the late 1980s. Social engineering has technically been around since the advent of human communication. In the context of technology security it’s been around since phreaking techniques were used in the 1960s and 1970s as a way to take advantage of phone systems. Today it’s phishing, vishing, smishing, and much more. It’s been around but not the main technique used to get into an organization, well until now.

It seems as vulnerability management and incident response improves attackers are switching to social engineering via phone. I recently heard from a friend about another friend who got all their work logins compromised via an attacker calling into the help desk and resetting his password and MFA. This comes on the heels of the MGM and Okta breaches.

MGM

Like the movie Ocean’s 11 attackers used social engineering techniques to obtain access into MGM system by impersonating an employee and calling into the help desk to have their credentials reset. This resulted in ransomware being deployed in their environment and costing the casino hundreds of millions of dollars.

Okta

The compromise of access tokens via the Okta’s customer support unit is probably even scarier because Okta holds the keys to a lot of other organizations. This breach gives attackers information to pivot into other organizations.

What’s next for social engineering

When attacks like the two examples above are successful and result in lots of money and infamy others start copying the techniques used. I would expect us to continue to see attacks like these going forward which means more focus will be needed on security awareness. Groups like Scattered Spider are already starting to pop up and their focus is on social engineering their way into organizations. Then with that access ransomware gangs begin deploying ransomware. This highlights a need for good detection procedures and technologies. We’ll probably also see more difficult controls put in place to protect accounts. This will degrade our account access user experience as a side effect.

Resources for Social Engineering

Social-Engineer: This is a company started by Chris Hadnagy focused on social engineering. They provide resources and also assessments for an organization that focus on social engineering. He’s written several books as well on the topic that I highly recommend.

One of those books:

"Social Engineering: The Art of Human Hacking" by Christopher Hadnagy: This book delves into the psychology and techniques of social engineering.

Krebs on Security is a great blog to follow in general. He covers a variety of topics mostly around breaches.

This blog post first appear on Exploring Information Security

MISSECON thoughts and impressions

November 18, 2023

Prior to the pandemic misecCON (the conference formerly known as Converge/BSides Detroit) was the last conference in my schedule for the year. Post pandemic I’m happy to see it back because it’s such a great conference. The conference was moved out of Detroit to Lansing, Michigan. I really like the location. It has that DerbyCon type of feel with the hotel as it’s central location. There’s plenty of food and after conference options for people to explore and experience. This version was only one day so time exploring was limited but what I did get to explore was great.

The conference had over 170 people show up so it wasn’t overwhelming but plenty of good conversations with attendees and great presentations to attend. I also really enjoyed the capture the flag (CTF) and even hopped in with a team for a short period of time. The venue was in the Double Tree Hotel Lansing and I was very pleased with the accommodations and rooms at the hotel. For lunch I went to Weston’s Kewpee Sandwich Shop and had a burger that had been sold for the last 90 years. A burger that’s been sold for 90 years is quite delicious. I like to get away from the conference and have lunch with friends as a break from the conference. For the record, the conference provided lunch also looked delicious. Not all conference provide a solid lunch so that’s a huge plus for this conference.

The after party was also great. It was at a place called the Lansing Shuffle which used to be an old farmers’ market on the river. We had a small section of the vibrant scene which included music and plenty of food options. The food provided was very good and the open bar had lots of options.

The rebirth of the conference is encouraging. The location is fantastic and has opportunity for growth into a bigger space which I think it will. I’ve heard there are bigger plans for next year with additions like workshops and other activities. I can’t wait to come back again in 2024.

This blog post first appear on Exploring Information Security

Heading to MISSECCON

November 10, 2023

I am super excited to be heading back up north to Lansing, Michigan, which is right in between Grand Rapids and Detroit. You might be wondering why I would leave the comfort of Tennessee to head up the soon to be frozen north. It’s MISSECON or #missecon, which is a conference rising from the ashes of Converge and BSides Detroit post-pandemic. MISEC itself is a huge community of infosec professionals with multiple locations across Michigan. I’ve had the pleasure of getting to know several of the members and they’re all quality individuals. If you can make the trip I would recommend it!

This will be my final time speaking on API security. I’ve really enjoyed putting the talk together and refining it over the last few months. I’ve learned a lot and I hope others have as well from my presentations. I’ve put all the resources and content from the talk at https://www.exploresec.com/api. I am working on a blog post about Dynamic Application Security Testing (DAST) because it’s the one question I’ve been asked about after ever talk.

I’m already starting to think about what topic I’d like to present on next year. CFPs are already opening up for the spring. One consistent concept throughout my presentations over the year has been threat modeling but I’d also like to do something like security awareness. Both are really important for an organization. The problem is that it’s hard to get them accepted at conferences. My API talks were accepted because it was a hot topic in the community but also I believe it’s still a hot topic for companies internally. Another topic I’ve found really interesting is how ransomware gangs work. There’s a lot of research that’s come to light over the past few years that makes it a really good topic to present.

More to come! Hope to see you at MISSECON!

This blog post first appear on Exploring Information Security