Tuesday, June 20, 2017

I posted this on twitter last night but it bears posting here too

Listen to Hadley (the blonde student) and ask yourself is this person someone you want running the world? Then listen to George (the President of the college) and ask yourself "How did he get to that position?" Then weep for the future.

Thursday, June 15, 2017

Free Network Security Training

Messing around on twitter last nigh and found a link to ITSP Magazine (I assume it stands for IT Security Professional) via a podcast that some woman was pushing.  I've never heard of Ariel Robinson or the Magazine before so I poked around a bit and found an article titled "Companies Are Taking the Cybersecurity Skills Gap into Their Own Hands" which mainly seems to center on Fortinet's Network Security Expert program, which is now offering free training:

But that is just the start. For the next step, we just announced that we are providing universal access to our NSE program. As of this quarter, NSE level 1 courses are currently available to the public free of charge, and NSE levels 2 and 3 will start to become available in the second quarter of 2017.
I can't vouch for the training but the syllabus looks pretty comprehensive, if extremely Fortinet centered.  If you are looking for some free training check it out, let me know if it's any good.

Tuesday, June 13, 2017

CRASHOVERRIDE And The Threat To The Grid

Yesterday Dragos and a few other security vendors issued a report outlining a new piece of malware called CRASHOVERRIDE. 

Essentially this malware after being loaded / loading onto an HMI will install additional backdoors and tools then execute a launcher and using the OPC protocol map the network on which it is located. It can then issue command utilizing modules for various industrial protocols, and then finally issue a command to wipe the HMI.  Command issued via the protocols can results in rapid triggering of relays and a DoS attack by blocking communication via the HMI's serial port. 

This can result in islanding of portions of the grid and general instability. 

This sounds pretty bad but I have had a number of talks over time with craftsman and substation operations people about stuff like this.  Their response has been consistent.  If something like this attack were to take place they can take the network off line and use manual control. 

In addition from what I have read this attack can be detected by noting unusual traffic on port 3128 and attempts to communicate with 4 or 5 TOR sites.  It also appears that application whitelisting (one of the controls that appears on the CIS Top 20, ASD top 35 and IAD Top 10) would be helpful in preventing this attack.

All in all, worrying but not catastrophic.

(US CERT issued an alert that basically agrees with me)

Saturday, June 10, 2017

The Ultimate Barney Stinson "Get Psyched" Playlist

There are apparently 3 different version of this playlist, the version on the TV show, the version on the Barney Stinson Blog, and the version in The Bro Code.

This presented a conundrum today as I was deciding which version to load on my iPod to play at the office and annoy my co-workers.

I solved the problem by listing all the songs and their order on each of the lists then averaging that order and sorting lowest to highest.  I thought about throwing out any song that was only listed on one of the lists but then we would't have Tom Sawyer, so...

On Freebird per Barney skip to second half of song only

Personally I would have made a few changes - You're the Best Around would be substituted with Danger Zone, Freebird would be substituted with I see You Baby, Come Sail Away would be substituted with something by Whitesnake (Probably Slide it In) and High Enough would probably be replaced by Sweet Emotion

Adam West R.I.P.

His version of Batman was the best of the movie Batmen, plus it had the best Catwoman (Lee Merriweather)

This is definitively the scariest version of the Joker ever

skip to 1 minute 53 seconds

Saturday, June 03, 2017

As promised - CIS Top 5 Security Controls Compared to ASD and NSA

GICSP Update

Passed - 84%

Anyone considering this exam - DO NOT RELY SOLELY ON THE CLASS MATERIAL.  I can't really go into detail without potentially running afoul of the NDA but definately consult a couple outside references like Industrial Network Security and the NIST report on Smart Grids to round out your knowledge.  Not saying that anything specific was pulled from those sources, just that they are a little more in-depth on some stuff.

GICSP Exam Today

Not feeling super confident -

Been studying since I completed the class in April (Great class by the way, if you are in the field and need to build or solidify some foundational knowledge I highly recommend it), but the more I study the stupider I am feeling.  I really think this is going to be a write off exam and I will end up retaking it in a couple months.  Hopefully not, but that's the way it is feeling

In other news -

I did up a nice little table that compares the CIS Top 20 Security Controls (actually the top 5 plus 1) to the ASD Mandatory Top 4 and the NSA IAD Top 10 (top 4) and correlated that to the NIST 800-53 controls.  I tried to put it in blogger in table format but it wont take. I am going to reformat a little bit and I will post a .jpg later today. I know this may seem pointless, but I actually do have a point with it - The Australian Security Directorate (ASD) did an analysis and found that 85% of the incidents they respond to could be prevented by implementation of their top 4 controls. SANS made similar claims about their top 5 (now controlled by CIS). Finally, the recent WannaCry ransomware epidemic could have been largely prevented by a good vulnerability/patch management program and guess what figure heavily in those sets of controls. My point being that a base level of security is relatively easy to obtain and everything after that is gravy. (Don't interpret this as "Oh, we only have to do this stuff!" I am making the point that laying a good base to build on is an achievable proposition)

Sunday, May 21, 2017

Saw Guardians of the Galaxy Vol. 2 yesterday and other news

Honestly - I wasn't that impressed.

I don't want to give away any spoilers, but lets say that they went way to heavy on the comedy at the expense of the story.  Part of the reason the first movie was so good was the comedic interaction felt natural.  Like people really bantering.  This felt forced.  They also went  way too Three Stooges and way too cartoonish both.

Second the Kurt Russell character sucked ass, from the very poor CGI at the beginning, which was very creepy looking (uncanny valley), to the character himself, who didn't really serve a purpose other than to explain why quill held an infinity stone.  That didn't really need an explanation and could have served as a thread in upcoming movies, at least in my opinion.

Baby Groot, believe me a little bit went a very long way.

Unexplained technical stuff that causes problems etc.

The list goes on.

TLDR:  Bad story, bad effects, bad characters - worst movie from Marvel in a long time.

The other news --

Got the new computer, Alienware R6 Aurora.  Spent most of yesterday transferring files, getting stuff set up again.  having a few glitches, nothing hardware related so far.  Went with the water cooled option and OMG I never really realized how loud my old system was.  32 GB of RAM for VM labs. now of course i have cables everywhere but I will get that cleaned up.

Thursday, May 11, 2017

Where in the world is Chad

Well still in Portland actually.  It's been a couple weeks so I thought I would update the blog.

First off - As you guys know I went and took the SANS class on ICS / SCADA Security Fundamentals.  I also got the on demand version.  Currently I am reviewing that class getting ready for the GICSP exam.  That is scheduled for June 3rd.  After that I am back to working on my CISSP.

Second - As I mentioned a couple weeks ago, the company I am currently contracting at made an offer for full time employment.  I accepted and have been jumping through those hoops.

Thirdly - My Achilles tendinitis is mostly gone so I am trying to get back into my daily walking routine.

Fourth - I bought an Oculus and have been messing with that some.  It's somewhat limited so far, but it has potential.  Because I bought the Oculus I am also upgrading computers.  Bought an Alienware Aurora and intend to turn my current system into an ESXi machine for VMware practice.

There you go that should catch everyone up