Tag Archives: infosec

Fear and Loathing in Vulnerability Management

Vulnerability management – the security program that everyone loves to hate, especially those on the receiving end of a bunch of arcane reports. Increasingly, vulnerability management programs seem to be monopolizing more and more of a security team’s time, mostly because of the energy involved with scheduling, validating and interpreting scans. But does this effort actually lead anywhere besides a massive time suck and interdepartmental stalemates? I would argue that if the core of your program is built on scanning, then you’re doing it wrong.

The term vulnerability management is a misnomer, because “management” implies that you’re solving problems. Maybe in the beginning scanning and vulnerability tracking helped organizations, but now it’s just another method used by security leadership to justify their every increasing black-hole budgets. “See? I told you it was bad. Now I need more $$$$ for this super-terrific tool!”

Vulnerability management programs shouldn’t be based on scanning, they should be focused on the hard stuff: policies, standards and procedures with scans used for validation. If you’re stuck in an endless cycle of scanning, patching, more scanning and more patching; you’ve failed.

You should be focused on building processes that bake build standards and vulnerability remediation into a deployment procedure. Work with your Infrastructure team to support a DevOps model that eliminates those “pet” systems. Focus on “cattle” or immutable systems that can and should be continuously replaced when an application or operating system needs to be upgraded. Better yet, use containers. Have a glibc vulnerability? The infrastructure team should be creating new images that can be rolled out across the organization instead of trying to “patch and pray” after finally getting a maintenance window. You should have a resilient enough environment that can tolerate change; an infrastructure that’s self-healing because it’s in a state of continuous deployment.

I recognize that most organizations aren’t there, but THIS should be your goal, not scanning and patching. Because it’s a treadmill to nowhere. Or maybe you’re happy doing the same thing over and over again with no difference in the result. If so, let me find you a very large hamster wheel.

hamster_meme

 

Tagged , , , , , ,

Why You Shouldn’t Be Hosting Public DNS

As a former Unix engineer who managed my share of critical network services, one of the first things I do when evaluating an organization is to validate the health of infrastructure components such as NTP, RADIUS, and DNS. I’m often shocked by what I find. Although most people barely understand how these services work, when they break, it can create some troublesome technical issues or even a full meltdown. This is especially true of DNS.

Most problems with DNS implementations are caused by the fact that so few people actually understand how the protocol is supposed to work, including vendors.The kindest thing one can say about DNS is that it’s esoteric. In my IT salad days, I implemented and was responsible for managing the BIND 9.x infrastructure at an academic institution. I helped write and enforce the DNS request policy, cleaned up and policed the namespace, built and hardened the servers, compiled the BIND binaries and essentially guarded the architecture for over a decade. I ended up in this role because no one else wanted it. I took a complete mess of a BIND 4.x deployment and proceeded to untangle a ball of string the size New Zealand. The experience was an open source rite of passage, helping to make me the engineer and architect I am today.  I also admit to being a BIND fangirl, mostly because it’s the core software of most load-balancers and IPAM systems.

This history makes what I’m about to recommend even more shocking. Outside of service providers, I no longer believe that organizations should run their own public DNS servers. Most enterprises get along fine using Active Directory for internal authentication and name resolution, using a DNS provider such as Neustar, Amazon or Akamai to resolve external services. They don’t need to take on the risk associated with managing external authoritative DNS servers or even load-balancing most public services.

The hard truth is that external DNS is best left to the experts who have time for the care and feeding of it. One missed security patch, a mistyped entry, a system compromise; any of these could have a significant impact to your business. And unless you’re an IT organization, wouldn’t it be better to have someone else deal with that headache? Besides, as organizations continue to move their services to the cloud, why would you have the name resolution of those resources tied to some legacy, on-premise server? But most importantly, as DDoS attacks become more prevalent, UDP-based services are an easy target, especially DNS. Personally, I’d rather have a service provider deal with the agony of DDoS mitigation. They’re better prepared with the right (expensive) tools and plenty of bandwidth.

I write this with great sadness and it even feels like I’m relinquishing some of my nerd status. But never fear, I still have a crush on Paul Vixie and will always choose dig over nslookup.

 

Tagged , , , , ,

Introducing: Security SOC Puppets

Gert and Bernie

Please join Gert, Bernie and friends in their wild adventures through cyberspace! In episode one, our woolen friends explore the frustrating topic of email encryption.

Tagged , , , ,

Don’t Let the Grinch Ruin Your Credit

Believe it or not, I actually like to educate my friends and acquaintances about technology. It makes my skeptical, shriveled, infosec heart grow a few sizes larger when I solve even the simplest problems, making someone’s life a little easier. So I was ecstatic to create and teach a free online-safety webinar for one of my favorite programs, AARP Tek Academy. While not as exciting as chasing down hackers or fighting a DDoS attack, it was a very rewarding experience.  And I didn’t have to argue with anyone about budgets or risk. So please share it with your Luddite friends this holiday season.

You can access the webinar here.

grinch_heart

Tagged , , , , ,

Ending the Tyranny of Expensive Security Tools

My obsession with talking about low-cost security tools all started with an article for TechTarget. It morphed into a session for Interop, then a sponsored webinar (by a vendor, go figure) and finally a longer mega-webinar for Ipspace.net. Maybe it’s because I’ve spent most of my time in the non-profit realm, but I simply hate spending money unnecessarily on products that replicate functionality of something my organization already owns. What follows is an excerpt of a post I wrote for Solarwinds on the topic.

Security tools: sometimes it seems that we never have enough to keep up with the task of protecting the enterprise. Or, at least it seems that way when walking the exhibit floor at most technology conferences. There’s a veritable smorgasbord of tools available, and you could easily spend your entire day looking for the perfect solution for every problem.

But, the truth is, IT teams at most organizations simply don’t have the budget or resources to implement dedicated security tools to meet every need and technical requirement. They’re too busy struggling with Cloud migrations, SaaS deployments, network upgrades, and essentially “keeping the lights on.”

Have you ever actually counted all the security tools your organization already owns? In addition to the licensing and support costs, every new product requires something most IT environments are in short supply of these days—time.

Optimism fades quickly when you’re confronted by the amount of time and effort required to implement and maintain a security tool in most organizations. As a result, these products end up either barely functional or as shelfware, leaving you to wonder if it’s possible to own too many tools.

There has to be a better way.

Maybe it’s time to stop the buying spree and consider whether you really need to implement another security tool. The fear, uncertainty, and doubt (FUD) that drives the need to increase the budget for improving IT security works for only so long. At some point, the enterprise will demand tangible results for the money spent.

Try a little experiment. Pretend that you don’t have any budget for security tools.  You might discover that your organization already owns plenty of products with functionality that can be used for security purposes.

You can read the rest of my rant here.

Tagged , , ,

Security Training for Cheapskates

During a recent webinar I gave, someone asked how soon I would be doing another one. I was flattered, but responded that because of a full-time job as an architect, my time was limited. “Besides,” I said, “you don’t need to wait for me, there’s plenty of free or inexpensive security training available online.”

Security professionals love to share and show off what they’ve learned. Some of us crave the warm fuzzy of helping our colleagues, while others do it to demonstrate their wicked skills or build their resume. Regardless of the motivation, that means there’s always abundant content to help you learn and grow.

Here’s a list of useful sites that I’ll try to keep updated. If you know of others and would like to contribute or if you think the training is outdated or bad, please let me know and I’ll adjust the list accordingly.

Securitytube.net – a project of security researcher, Vivek Ramachandran.

Hak5.org – Online security show produced by Darren Kitchen (of Pineapple WiFi router fame) and a collection of nerds who demo security tools and hacks. Includes Metasploit Minute with the awesome @Mubix.

OWASP – The Open Web Application Security Project has lots of “how to” guides and videos.

Offensive Security’s Vimeo Channel

Metasploit Unleased, Made for Hackers for Charity, an ethical hacking course provided free of charge to the InfoSec community in an effort to raise funds and awareness for underprivileged children in East Africa.

Georgia Weidman:Bulb Security – creator of the Smartphone Pentest Framework, researcher and author of Penetration Testing: A Hands-on Introduction to Hacking. She offers inexpensive online training in pentesting.

Adrian Crenshaw’s site, Irongeek, with conference and training videos.

Official BlackHat Conference Youtube Channel 

Defcon Youtube Channel 

Chaos Communication Congress videos

OpenSecurityTraining.info – CreativeCommons licensed security training site

Cyber Kung Fu for the Eight (8) Domains of CISSP – Training videos from Larry Greenblatt, a CISSP training guru.

Pentester Academy – video training site available for monthly or yearly subscription fee. Some free content.

Pentester Lab – Free online pentesting courses with practice images.

Penetration Testing Practice Lab – A mindmap of available vulnerable applications and systems practicing pentesting.

ENISA(European Union Agency for Network and Information Security) incident handling training

Carnegie Mellon University Software Engineering Institute (SEI) training – low-cost security training from a research, development and training center involved in computer software and network security.

Cybrary – free online IT and security training that grew out of a Kickstarter project.

Udemy, Coursera, edX and many universities offer MOOCs in computer science and information security. You can get a list from MOOC-Online.

Tagged , , , ,

Malware Analysis and Incident Response Tools for the Frugal and Lazy

I confess: I covet and hoard security tools. But I’m also frugal and impatient, so often look for something free and/or quick. And yes, that frequently means using an online, hosted service. Before the security-purists get their panties in a wad, I’d like to offer this disclaimer: you may mock me for taking shortcuts, but it’s not always about having the best tool, but the one that gets the job done.

Here’s a list that I frequently update. You’ll notice that sometimes I have the same tool in more than one section, but this is because it has multiple functions. If you know of others and would like to contribute or if you think the tool is outdated or bad, please let me know and I’ll adjust the list accordingly.

Many thanks to @grecs for his additions and helping me to organize it. Also to Lenny Zeltzer, author of the REMnux malware analysis and reverse engineering distro, who I’ve borrowed shamelessly from. You’ll find many of these tools and others on his own lists, so I encourage you to check his posts on this topic as well.

Online Network Analysis Tools

Network-Tools.com offers several online services, including domain lookup, IP lookup, whois, traceroute, URL decode/encode, HTTP headers and SPAM blocking list.

Robtex Swiss Army Knife Internet Tool

CentralOps Online Network tools offers domain and other advanced internet utilities from a web interface.

Shadowserver Whois and DNS lookups check ASN and BGP information. To utilize this service, you need to run whois against the Shadowserver whois system or DNS queries against their DNS system.

Netcraft provides passive reconnaissance information about a web site using an online analysis tool or with a browser extension.

Online Malware Sandboxes & Analysis Tools

Malwr: Malware analysis service based on Cuckoo sandbox.

Comodo Instant Malware Analysis and file analysis with report.

Eureka! is an automated malware analysis service that uses a binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.

Joe Sandbox Document Analyzer checks PDF, DOC, PPT, XLS, DOCX, PPTX, XLSX, RTF files for malware.

Joe Sandbox File Analyzer checks behavior of potentially malicious executables.

Joe Sandbox URL Analyzer checks behavior of possibly malicious web sites.

ThreatTrack Security Public Malware Sandbox performs behavioral analysis on potential malware in a public sandbox.

XecScan Rapid APT Identification Service provides analysis of unknown files or suspicious documents. (hash search too)

adopstools scans Flash files, local or remote.

ThreatExpert is an automated threat analysis system designed to analyze and report the behavior of potential malware.

Comodo Valkyrie: A file verdict system. Different from traditional signature based malware detection techniques, Valkyries conducts several analyses using run-time behavior.

EUREKA Malware Analysis Internet Service

MalwareViz: Malware Visualizer displays the actions of a bad file by generating an image. More information can be found by simply clicking on different parts of the picture.

Payload Security: Submit PE or PDF/Office files for analysis with VxStream Sandbox.

VisualThreat (Android files) Mobile App Threat Reputation Report

totalhash: Malware analysis database.

Deepviz Malware Analyzer

MASTIFF Online, a free web service offered by KoreLogic Inc. as an extension of the MASTIFF static analysis framework.

Online File, URL, or System Scanning Tools

VirusTotal analyzes files and URLs enabling the identification of malicious content detected by antivirus engines and website scanners. See below for hash searching as well.

OPSWAT’s Metascan Online scans a file, hash or IP address for malware

Jotti enables users to scan suspicious files with several antivirus programs. See below for hash searching as well.

URLVoid allows users to scan a website address with multiple website reputation engines and domain blacklists to detect potentially dangerous websites.

IPVoid, brought to you by the same people as URLVoid, scans an IP address using multiple DNS-based blacklists to facilitate the detection of IP addresses involved in spamming activities.

Comodo Web Inspector checks a URL for malware.

Malware URL checks websites and IP addresses against known malware lists. See below for domain and IP block lists.

ESET provides an online antivirus scanning service for scanning your local system.

ThreatExpert Memory Scanner is a prototype product that provides a “post-mortem” diagnostic to detect a range of high-profile threats that may be active in different regions of a computer’s memory.

Composite Block List can check an IP to see if it’s on multiple block lists and it will tell you if blocked, then who blocked it or why.

AVG LinkScanner Drop Zone: Analyzes the URL in real time for reputation.

BrightCloud URL/IP Lookup: Presents historical reputation data about the website

Web Inspector: Examines the URL in real-time.

Cisco SenderBase: Presents historical reputation data about the website

Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists

Norton Safe Web: Presents historical reputation data about the website

PhishTank: Looks up the URL in its database of known phishing websites

Malware Domain List: Looks up recently-reported malicious websites

MalwareURL: Looks up the URL in its historical list of malicious websites

McAfee TrustedSource: Presents historical reputation data about the website

MxToolbox: Queries multiple reputational sources for information about the IP or domain

Quttera ThreatSign: Scans the specified URL for the presence of malware

Reputation Authority: Shows reputation data on specified domain or IP address

Sucuri Site Check: Website and malware security scanner

Trend Micro Web Reputation: Presents historical reputation data about the website

Unmask Parasites: Looks up the URL in the Google Safe Browsing database. Checks for websites that are hacked and infected.

URL Blacklist: Looks up the URL in its database of suspicious sites

URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content

vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists

urlQuery: a service for detecting and analyzing web-based malware.

Analyzing Malicious Documents Cheat Sheet: An excellent guide from Lenny Zeltser, who is a digital forensics expert and malware analysis trainer for SANS.

Qualys FreeScan is a free vulnerability scanner and network security tool for business networks. FreeScan is limited to ten (10) unique security scans of Internet accessible assets.

Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Hash Searches

VirusTotal allows users to perform term searches, including on MD5 hashes, based on submitted samples.

Jotti allows MD5 and SHA1 hash searches based on submitted samples.

Malware Hash Registry by Team Cymru offers a MD5 or SHA-1 hash lookup service for known malware via several interfaces, including Whois, DNS, HTTP, HTTPS, a Firefox add-on or the WinMHR application.

Domain & IP Reputation Lists

Malware Patrol provides block lists of malicious URLs, which can be used for anti-spam, anti-virus and web proxy systems.

Cisco SenderBase Reputation data about a domain, IP or network owner

Malware Domains offers domain block lists for DNS sinkholes.

Malware URL not only allows checking of websites and IP addresses against known malware lists as described above but also provides their database for import into local proxies.

ZeuS Tracker provides domain and IP block lists related to ZeuS.

Fortiguard Threat Research and Response can check an IP or URL’s reputation and content filtering category.

CLEAN-MX Realtime Database: Free; XML output available.

CYMRU Bogon List A bogon prefix is a route that should never appear in the Internet routing table. These are commonly found as the source addresses of DDoS attacks.

DShield Highly Predictive Blacklist: Free but registration required.

Google Safe Browsing API:  programmatic access; restrictions apply

hpHosts File:  limited automation on request.

Malc0de Database

MalwareDomainList.com Hosts List

OpenPhish: Phishing sites; free for non-commercial use

PhishTank Phish Archive: Free query database via API

ISITPHISHING is a free service from Vade Retro Technology that tests URLs, brand names or subnets using an automatic website exploration engine which, based on the community feeds & data, qualifies the phishing content websites.

Project Honey Pot’s Directory of Malicious IPs: Free, but registration required to view more than 25 IPs

Scumware.org

Shadowserver IP and URL Reports: Free, but registration and approval required

SRI Threat Intelligence Lists: Free, but re-distribution prohibited

ThreatStop: Paid, but free trial available

URL Blacklist: Commercial, but first download free

Additional tools for checking URLs, files, IP address lists for the appearance on a malware, or reputation/block list of some kind.

Malware Analysis and Malicious IP search are two custom Google searches created by Alexander Hanel. Malware Analysis searches over 155 URLS related to malware analysis, AV reports, and reverse engineering. Malicious IP searches CBL, projecthoneypot, team-cymru, shadowserver, scumware, and centralops.

Vulnerability Search is another custom Google search created by Corey Harrell (of Journey into Incident Response Blog). It searches specific websites related to software vulnerabilities and exploits, such as 1337day, Packetstorm Security, Full Disclosure, and others.

Cymon Open tracker of malware, phishing, botnets, spam, and more

Scumware.org in addition to IP and domain reputation, also searches for malware hashes. You’ll have to deal with a captcha though.

ISC Tools checks domain and IP information. It also aggregates blackhole/bogon/malware feeds and has links to many other tools as well.

Malc0de performs IP checks and offers other information.

OpenMalware: A database of malware.

Other Team Cymru Community Services  Darknet Project, IP to ASN Mapping, and Totalhash Malware Analysis.

viCheck.CA provides tools for searching their malware hash registry, decoding various file formats, parsing email headers, performing IP/Domain Whois lookups, and analyzing files for potential malware.

AlienVault Reputation Monitoring is a free service that allows users to receive alerts of when domains or IPs become compromised.

Web of Trust: Presents historical reputation data about the website; community-driven. Firefox add-on.

Shodan: a search engine that lets users find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters.

Punkspider: a global web application vulnerability search engine.

Email tools

MX Toolbox  MX record monitoring, DNS health, blacklist and SMTP diagnostics in one integrated tool.

Threat Intelligence and Other Miscellaneous Tools

ThreatPinch Lookup Creates informational tooltips when hovering oven an item of interest on any website. It helps speed up security investigations by automatically providing relevant information upon hovering over any IPv4 address, MD5 hash, SHA2 hash, and CVE title. It’s designed to be completely customizable and work with any rest API. Chrome and Firefox extensions.

ThreatConnect: Free and commercial options.

Threatminer Data mining for threat intelligence.

IBM X-Force Exchange  a threat intelligence sharing platform that you can use to research security threats, to aggregate intelligence, and to collaborate with peers.

Recorded Future: Free email of trending threat indicators.

Shadowserver has lots of threat intelligence, not just reputation lists.

The Exploit Database: From Offensive Security, the folks who gave us Kali Linux, the ultimate archive of Exploits, Shellcode, and Security Papers.

Google Hacking Database: Search the database or browse GHDB categories.

Privacy Rights Clearinghouse: Data breach database.

Breach Level Index: Data breach database.

AWStats: Free real-time log analyzer

AlienVault Open Threat Exchange

Tagged , , , , , ,

Are You There Business? It’s Me, Information Security

Are you there Business? It’s me, Information Security. We need to talk. I know you’re busy generating revenue and keeping the lights on, but we’ve got some critical matters to discuss. I feel like everyone hates me and thinks I’m a nag. Every time I want to talk to you about patching and vulnerabilities, I’m ignored. I’m so scared, because I’m always trying to secure the network so the bad guys don’t get into it, but no one wants to help me make sure that doesn’t happen. Honestly, I don’t feel heard. It seems like everything is about you all the time. I get it. I wouldn’t have a job without you, but I really need to feel respected in this relationship. Because let’s be honest with each other for once, if you’re breached, I’m probably the one that’s getting fired.

I understand that you don’t always remember passwords, which is why you write them down or use your pet’s name. I know that it’s takes a lot of time to follow rules that don’t always make sense. But this is important, so could you find a way to work with me?  I’d really appreciate it, because I feel so frightened and alone.

Yours Truly,

Infosec

P.S. Could you please stop using the word “cyber”in everything? I really hate that term.

P.P.S. And yes, I’m blocking porn because it really does have malware. But also because HR told me to. So please don’t get mad at me.i-wonder-if-9jgrq0

Tagged , , , ,

Cognitive Dissonance and Incident Response

“In psychology, cognitive dissonance is the mental stress or discomfort experienced by an individual who holds two or more contradictory beliefs, ideas, or values at the same time, or is confronted by new information that conflicts with existing beliefs, ideas, or values.”

Festinger, L. (1957). A Theory of Cognitive Dissonance. California: Stanford University Press.

For your consideration, what follows is the hypothetical discussion between a Pointy Haired Fearless Leader and a Security Analyst regarding the possibility of an organization’s large, web application having been breached. The Frankenapp in question was creatively duct-taped together around the same time that dinosaurs roamed the earth. All characters appearing in this work are fictitious. Any resemblance to real persons living or dead, is because truth is often much funnier than fiction.

SA: There’s a possibility our Super Amazing Custom Web Application has been breached.

PHFL: (Breathes into paper bag as starts to hyperventilate. In between breaths) How did this happen?!

SA: Same way it always does. A user was phished.

PHFL: But why didn’t our Extraordinarily Powerful Security Tools that cost $$$$$ stop this?!

SA: Because they don’t always work. Especially when they don’t have all the data necessary to identify malicious activity.

PHFL: But we paid $$$$$ because the vendor said it would stop APTs!

SA: This isn’t an APT.

PHFL: But we have Super Powerful Web Application Firewalls!

SA: They’re still in learning mode, because the web developers won’t work with us to identify false positives. And a WAF won’t detect phished credentials. We need multi-factor authentication to prevent this.

PHFL: But MFA annoys the users. What about the network firewalls?!

SA: Our firewalls wouldn’t have caught this and our web filtering system hasn’t worked for months.

PHFL: Do we know what accounts were compromised?

SA: We don’t have enough data. We don’t really have many application logs and the ones we do have aren’t being sent to the  SOC to be correlated.

PHFL: Why wasn’t I told about this tragic and desperately horrible situation?!

SA: I’ve been telling you every week since I took the job. I even hired someone to sky-write it twice. I’m also working on an off-Broadway musical called, We’re About to be Pwned Because Our Visibility Stinks and Our Security Tools Are Broken.

PHFL: Well, this is clearly your fault.

Dilbert On Incident Response

Tagged , , , , , ,

Security Karma

The Hacking Team debacle continues to make life miserable for defenders everywhere. Any vestige of organizational good will I  may have built up over the last year, is gone after issuing five emergency patch requests over ten days. I’m exhausted and still wondering how many more 0-days are lurking around the corner.

The compromise was epic, with hackers releasing approximately 400GB of data, including thousands of internal emails and memos which were posted on Wikileaks. Reuters reported that all this mayhem was caused by six disgruntled former employees who also released Hacking Team source code.  Frankly, I don’t have much sympathy for David Vincenzetti and his circle of douchery that includes government clients using Hacking Team’s brand of malware to spy on dissidents. While following the story, a Confucian proverb came to mind. “When you ride a tiger, it’s hard to get off.”

And so it has been for The Hacking Team, now bitten by that proverbial tiger and broken, a casualty of their own hubris. Whether they can recover from this disaster is questionable. Their arrogance only surpassed by that other sad sack of the security industry, HBGary, taken down by Anonymous.

There is a story of a soldier who went to see a famous Buddhist Monk, Ajahn Chah, to ask why he had been shot on the battlefield. Why had he been chosen to suffer, was it something he had done in a past life? Ajahn Chah answered that it was the karma of a soldier to be wounded. The real meaning of karma isn’t punishment, it’s simple cause and effect. With the Hacking Team it’s a case of security karma: they chose to enter the arena of offensive security and use the tools of attackers for questionable purposes. By doing so, they increased the odds that they would themselves become an object of retaliation.

Tagged , , ,
%d bloggers like this: