Wednesday, November 08, 2017


Not much going on in Chad-land.  At least not anything interesting, but I'm keeping busy:

  • Working on my CCNA-Security, have that exam scheduled for December 2nd.
  • Started the ICS 515 - ICS Active Defense and Incident Response Course.  This is the precursor to the GIAC Response and Industrial Defense (GRID) eaxm and certification.  My goal is to take that test by Feb. 2018.  (A little side note here - yesterday at work we were looking some stuff up, because we have a lot of people going through different SANS class at the moment and we were curious where they overlap, and I noticed that despite all the hype about the need for ICS security professionals there are only 1500 people who have taken and passed the GICSP (me included) and only 81 who have taken and passed the GRID.  I'm not sure if that means the problem is overhyped or if it means the training isn't getting enough exposure, but there seems to be a disconnect.)
  • Still plugging away on the OSCP - which has gotten me thinking there needs to be an OSCP like cert for industrial networks.
  • Gathering material for the GIAC Critical Infrastructure Protection exam, which they will start offering in Feb. 2018.  I haven't decided whether or not I am going to take the SANS course yet.  

On top of this of all that I have a trip to Austin planned for Dec. to take the SANS SEC 560 course.

Yeah, yeah I know this reads like a SANS fanboys wet dream, and that I have been critical of SANS in the past, mainly because of the cost, BUT, the training is good and work is paying for the two SANS courses so I would be a fool not to take them.  The goal is to have all three SANS ICS certs by the time DefCon starts next year.  It doesn't mean anything, other than it will make me super-sexy at the Vegas pool parties, but it's something to strive for.

Monday, October 30, 2017

Rum, Sodomy And An Unmet Patch Schedule - Life In Cybersecurity Today - What I am reading 10/30/2017

LAGUNA BEACH, Calif., Oct 18 (Reuters) - Two of the technology industry’s top startup investors took to the stage at a conference on Wednesday to decry the power that companies such as Facebook Inc had amassed and call for a redistribution of wealth.
Altman and Maris offered few details of how to accomplish a redistribution of wealth. Maris proposed shorter term limits for elected officials and simplifying the tax code. Altman has advocated basic income, a poverty-fighting proposal in which all residents would receive a regular, unconditional sum of money from the government.
They're right that companies like Facebook have accumulated far more power and social influence than AT&T ever had, but I don't see where their proposed solutions do anything about that.  AT & T was kept in check because it was a regulated monopoly.  Then when conditions changed it was broken up.  If you are truly concerned about Facebook, Google etc. those ore the solutions you should be looking at.

BBC - NHS 'could have prevented' WannaCry ransomware attack -
NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said.
Speaking on the same programme, former chairman of NHS Digital, Kingsley Manning, said that a failure to upgrade old computer systems at a local level within the NHS had contributed to the rapid spread of the malware.
He said: "The problem with cyber security for the NHS is [that] it has a particular vulnerability... It's very interconnected so if you get an attack in one place it tends to spread."
Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS. Once again, there had been warnings sent out by NHS Digital, but many trusts failed to act upon them - though in that they were no different from many organisations around the world that were also hit.
 This report was filed by the "Water is wet" department.  Every single serious list of cyber-security precautions - CIS Top 20 Critical Security Controls, Australia's NSD Top 35 Security Controls, NSA Top 10, etc - What's always in the top 5 of the controls?  Patching.  What's always one of the major areas of failure when an attack like this hits?  Patching.  Just patch you morons.

Speaking of Patching...

Dark Reading - Why Patching Software is Hard (a two part series) -

Technical Challenges 

  • Tracking Devices, Applications, and Software Libraries
  • Updating Critical, Complex, and Legacy Applications

Organizational Challenges 

 the reality is there are many organizational challenges preventing best practices. To solve the problem and not just point fingers, companies should look at the teams and individuals involved with patching and identify potential blockers. The following is a list of the roles that may be involved in patching, and what challenges they may face.
Patching needs to be a priority. It takes time and money from other important projects that offer more immediate and visible value compared to protection against a potential threat. 
The two articles together are pretty good and present a fairly balanced picture of difficulties associated with a large scale patch management program.  Still, by far the biggest obstacle is, in my opinion a lack of understanding of just how critical timely patching is.  Number two is lack of organizational will.  The technical challenges can be big but they are also controllable, because they are technical in nature.

Sunday, October 29, 2017

I am a glutton for punishment - just registered for CCNA Security

I know I said I was going to be working on the OSCP, and I am, but I have a commute that has me on the train for about 90 minutes a day.  I find it hard to concentrate on OSCP stuff during the commute so this will eat up that time. 

Oh, and bonus - I take the exam the day before I fly down to Austin for SANS SEC560 (Network Penetration Testing)

Saturday, October 28, 2017

Passed the CISSP exam - so now back to OSCP

at least provisionally they say to allow 2 to 5 days for review.  Now I just need an endorsement and that is an item off the bucket list. 

Wednesday, October 25, 2017

More Industrial Control Network Problems - What I am reading 10/25/2017

The Register - Legacy kit, no antivirus, weak crypto. Yep. They're talking critical industrial networks

Traffic analysis on 375 industrial networks worldwide has confirmed the extent to which hackers target industrial control systems (ICS).
The study by CyberX also found that industrial networks are both connected to the internet and rife with vulnerabilities including legacy Windows boxes, plain-text passwords and a lack of antivirus protection.

  • 33% - Internet Connected
  • 75% - EOL'd OS running (i.e. XP or Win2K)
  • 50% - No AV protection
  • 60% - Weak Passwords or Plain Text Passwords
  • 50% - Rogue Devices
  • 20% - Wireless Access Points installed
  • 82% - Allow Remote Access via RDP, VNC, SSH

In response to the threat on industrial control systems, CyberX advises organisations to provide security awareness training for plant personnel and enforcing strong corporate policies to eliminate risky behaviours such as clicking links in emails, using USBs and laptops to transfer files to OT systems, and dual-homing devices between IT and OT networks.
Using compensating controls and multi-layered defences – such as continuous monitoring with behavioural anomaly detection — to provide early warnings of hackers inside your OT network, and the mitigation of critical vulnerabilities that might take years to fully remediate are also recommended.

This is an ongoing issue, it is expensive to replace the legacy equipment, especially when some of the applications may not be supported in new operating systems or the manufacturer of a particular widget has gone out of business and there is no easy solution for replacement.  Also in many cases the lack of passowrds or weak passwords is justified by a need for immediate access in the case of an emergency (an actual legitimate concern).  

Rogue devices, wireless access points, and remote access appear because of a need to align with business concerns and increase efficiency.  All we can do as security professionals or ICS experts (and I lay very tenuous claims to the first title and no claim to the second) is to provide the best advice we can to mitigate impacts.  

Business needs will always win unless you can show why it will cost the company more to implement the newest iOS app that allows you to shift load from Bumfuck Egypt than they would save by doing so.  This means good Risk Assessment and Business Impact Analysis.

ZDNet - Kaspersky admits to reaping hacking tools from NSA employee PC -

The way the story is written it is hard for me to pull a short money quote, but basically what Kaspersky is claiming is that the NSA employee had a pirated copy of MS Office installed.  This lead to the installation of a trojan.  When Kaspersky AV was turned on it detected the trojan and the code the NSA employee was working on and sent them both to Kasperky for analysis.  Kaspersky says once the realized what was detected it was deleted and not shared with anyone.

Wednesday, October 18, 2017

What I am reading (or maybe watching) 10/18/2017

DefCon - ICS Village: Grid Insecurity and How to Really Fix This Shit -

I tried to see this talk while at DefCon, but the room they had listed on the schedule didn't seem to exist and myself and the guy with me spent 30 mins. looking for it.  That's when I learned the value of the DefCon app.

Wired - The Problem with #MeToo and Viral Outrage -

On its surface, #MeToo has the makings of an earnest and effective social movement. It’s galvanizing women and trans people everywhere to speak out about harassment and abuse. It’s causing everyone to weigh in on systemic sexism in our culture. In truth, however, #MeToo is a too-perfect meme. It harnesses social media’s mechanisms to drive users (that’s you and me) into escalating states of outrage while exhausting us to the point where we cannot meaningfully act.
 As a result, our “outrage” bar continues to move firmly up and to the right as our feeds become saturated by egregious stories. We become numb to tragedies because we’re unable to process the emotions they engender at the speed with which they arise. As Crockett writes, “Just as a habitual snacker eats without feeling hungry, a habitual online shamer might express outrage without actually feeling outraged.” We may also discover that, just as venting anger begets anger, expressing outrage leads us to feel the emotion more deeply and consistently. Neither of these changes is good for humans.
I think we are already seeing some of this outrage escalation.  Over the weekend I followed some of the #MeToo threads and it seemed like as soon as one woman related an experience, someone would pop up in here thread and one-up her. Then that would generate a new round of everyone condemning the antagonist in the second story until another more egregious violation was named.  It's exhausting and at some point it causes people to just start ignoring the issue.  Especially if it starts to make the issue seem so big that it can never be addressed.

Network Computing - From Law School Dropout to Senior Network Engineer -

NWC: What things have you seen changing in the field?
AA: Like people have been saying for a while, it's not enough just to know networking. To be really good at being a network engineer, you have to understand a little bit, or sometimes a lot, about the way other systems work -- storage, servers, virtualization. You don't have to be an expert in any of it, but in order to make the best decisions, you really have to know some of it. So I would encourage people to not just learn networking, but go over and bother the systems engineer every so often, things like that.
They keep saying that the job of the network engineer is going to be automated out, but I don't see that happening. I see the people who understand the fundamentals having to shift their focus, but you still need someone who understands how routing works and how it relates to the other systems it interacts with.

I follow Amy on twitter (@amyengineer) and her blog is pretty good too.  Give her stuff a look.

Tuesday, October 17, 2017

CISSP update

Still scheduled to take the exam 28 Oct.  Been taking practice exams and scoring in the mid 80s to low 90s.  Hopefully the CCCure is a somewhat accurate representation of my knowledge level.


Not much going on in Chad-land.  At least not anything interesting, but I'm keeping busy: Working on my CCNA-Security, have that exam...