Jawn of the Month

For July the Jawn of the month is……..

Discord

I’m no longer employed by an organization which utilizes Slack. I missed my group chats and I’ve been able to rediscover this lost fondness of group chatting. Discord if you haven’t used it is very cool and contains all of the options you’d like for a chat.

I’ve found that it contains tons of non gamer chat rooms for interesting topics. I had used IRC again briefly and quickly moved over to Discord.

@jerkyyy

Jawn of the Month

Phillips Hue Smart Color Lights….

I don’t care if you can hack them. Just watch the scene from Game of Thrones Season 8 episode 3 when Melisandre lights the trench with these jawns synced to the TV…..

Jawn of the Month June 2019 = Phillips Hue Smart Lights

More addicting then Cryptocurrency.

Advice for prospective Info Sec/Security careers

Let me preface this as saying I’m not an expert.  I have had the benefit of meeting some very smart key individuals who have helped me along the way.  I feel that because I received help in the form of advice and teachings that it is my responsibility to pass this knowledge down.    With that now being said let’s get started.

Before you make a decision on a career path in security know that there are different avenues of security, which are vastly different.  The different roles of security will require different skillsets and perform different tasks regularly.  This list will not entail every security positions available but I can list a few which areas. 

Information Security Consultant is a popular position and extremely common.  Info Sec Consultants will work with their organization or clients to achieve a strong position in regards to compliance.  An Info Sec position is a less technical position. Traditionally Info Sec members should have IT experience and understand the system their auditing.  However, today it is very common for Info Sec professionals to have little to no IT experience and learn the particular framework, which their clients or organizations are trying to strive to achieve.  These frameworks are usually based on NIST CSF or ISO 27001.  This position will spend a large majority of time working in Policy/Procedure documentation. Additionally, creating Policy/Process documentation or working with an organization to improve their documentation is something Info Sec individuals will do consistently. To succeed at this position you must have strong reading comprehension skills, excellent writing skills and an eye for detail.   Info Sec positions will vary with regards to the IT skills required but overall from my experience the Info Sec crowd is much different from the engineering team.   The InfoSec crowd will focus on creating/reviewing and updating the policies/procedure documentation for organizations.  Organizational policies/procedures will need to align and match the compliance/legal requirements of the specific regulatory compliance standards such as PCI, FISMA or HIPAA/Hitrust. The InfoSec team will also need to review implementations of the technical controls which will require advanced IT knowledge to truly assess the organizations security posture. 

To obtain employment in the field of Information Security it is important to have a strong background in advanced writing and reading comprehension.  I’d say a Bachelors degree is more important for a career in Information Security as having the experience of advanced writing will be extremely important.   I’d also suggest learning about the basics of networking, access control and other underlying IT infrastructure. I’ve met InfoSec professionals with little to no IT experience and there is absolutely a learning curve.  How can you review or assess policies or procedures regarding specific IT controls if you don’t fully grasp what the controls do? And even more important how can you assess IT controls if you have no knowledge of the systems being reviewed.  An InfoSec professional with little or no IT experience will need to lean on senior members to ask questions of the unknown.  The worst thing an inexperienced team member can do is make assumptions for technologies they don’t understand.

The Security Engineer is a different path for security professionals. As a Security Engineer you will need a strong technical background in IT.  As a Security engineer you will be expected to understand at a minimum the basics of networking, server administration, access controls, web services and secure communication protocols.   Additionally, skills such as programming, and report writing will be extremely helpful. Security Engineers will have a less predictable day to day as the tasks they face can be drastically different. A Security Engineer can review vulnerability scans or parse through logs of different equipment as examples of things performed regularly.   Security Engineering roles often have different responsibilities including implementing projects, automating tasks, responding to alerts/threats and working with the compliance folk. A security engineer will work to remediate, and increase the security posture of an organization.  As excitement goes the Security Engineer will face a different set of challenges, which can be exciting at times. 

To become a security engineer I’d suggest one of two routes.  The first route would be to obtain a computer science degree and have a strong foundation in programming.  Expect to be forced to learn IT and spend extra free time on learning how the infrastructure works.  The reverse is also true; my route to security came from working in IT.  Starting in IT and learning different aspects such as networking, servers, applications and access controls can lead to a promising security career. As any security engineer will tell you this job does not end once you’re off the clock. Security engineers who thrive in this business will tell you that spending your free time reading about new threats, and learning new skills will be a regularly occurrence.  IT/Security advances very quickly and it doesn’t take long to become obsolete. 

A career in Security can be extremely rewarding and profitable.  However, it can be extremely challenging and difficult which is why it is profitable. The Security industry requires constant self-study and continuing education. In Security you can truly advance as far as your capability and determination will take you.

Zero Trust Architecture and the Future of Networking

In today’s networks having a strong defense at the perimeter-points is not sufficient enough to keep your data safe. The IT landscape moves very quickly and so do the threats that we face. Strong networks will implement additional defenses to protect the internal boundary points.  These additionally defenses ideally will vary between the segments, which house varying sensitivity levels of data.  The Healthcare industry has been slowly adopting stricter network segmentation and role based access through out the entirety of its networks.  These additional defenses are absolutely worth implementing but we should not stop there.   Enter zero trust architecture, which follows the never trust, always verify model. Zero trust architecture does not assume that traffic contained within the same zone is safe.

John Kindervag developed the concept of Zero Trust in 2010. In January of the same year, Google announced that they were hacked by what was believed to be an Advanced Persistent Threat by the Chinese government. This led Google to look outside the box for a different approach to security. Eventually the company decided to implement Zero Trust architecture throughout their network.

Endpoint protection is one of the biggest obstacles in IT.  If your organization falls victim to a hacker odds are it was through a compromised endpoint.  In modern networks Intra-zone traffic (Lateral moving traffic) is the least restricted traffic. The idea of zero trust requires access to each host to require multiple authentication methods for access regardless of the users location.  A user located within the same network zone will be required to authenticate utilizing the same process as a user outside the network.   From experience my implementation of Zero Trust required a username/password, which can easily be integrated into an Active Directory or LDAP identity management system.  Additionally, Multi-Factor authentication must be enabled to a soft token authenticator or one-time password sent to a mobile device.  And the last step of authentication for a Zero Trust provider maybe a device certificate issued to the device.   This Zero Trust model authenticates the user, the device and the session.  The transmission of this information is always sent utilizing a secure SSL connection to ensure the data is sent/received securely.  

This process of authenticating and validating the device, session, and user creates an ideal security approach. An added benefit of the certificate issued to the device is that the console of the Zero Trust portal will contain an inventory of the devices with access, and details regarding specific access rights granted which can be a handy tool if any assessments are on the horizon.  While it’s difficult to call anything fool proof, this model creates extra layer of security that is needed in the current environment of cyber threats. 

The technology utilized by Zero Trust architecture is all technology that exists in the field, such as Multi-Factor Authentication, RSA certificates, and leveraging your current identity management system. The Zero Trust Architecture takes the idea of segmentation and goes to a micro level in which each host is segmented and secured individually. To visualize Zero Trust architecture in action, imagine a burglar breaking into a building only to discover a long hallway with locked steel doors throughout.

What does this mean for the future? As the medical field adapts and leans on the Internet of Things (IoT) for reporting medical metrics to hospitals from a patient’s wearable technology, the interoperability of these devices will rely on information sent and received over the Internet. With the increase of patients gaining access to medical devices outside of the hospital, look for the concept of Zero Trust to be the model these devices use. The next generation of medical devices will need to send information securely over the Internet and will need to be maintained, which will require frequent updates over the internet. Any device externally exposed to the Internet will face certain risk, but Zero Trust architecture will create a method for even the smaller devices to have a fighting chance at maintaining security. Technology for medical devices is advancing, so the security infrastructure must follow.   

As new principals in security are flourishing, some newer technologies are emerging parallel to Zero Trust. Software is quickly invading the networking space and Software Defined Networking (SDN) has been a driving force. SDN and Zero Trust will essentially change how networking occurs, and these changes are coming quickly, whether in the cloud or on premises. Zero Trust is the security architecture of the future.  With the wide spread acceptance and success of DevOps, this trend will only continue. As developers continue to migrate to the IT space expect the continued streamlining of automated IT tasks.

Zero Trust will not completely remove the need for a VPN since IT may still require network access or site-to-site VPN connections between sites. Zero Trust can change how IT administrators obtain access to their networks if they choose to accept it. However, VPNs will not fade away quickly but will gradually make way for the next generation of remote access.

Zero Trust is not only architecture; it is becoming a mindset for Information Security. Next generation firewalls, IPS, and other security tools can be leveraged alongside of Zero Trust access principals to create a more robust protection for both the boundaries and the hosts.

What does this mean for assessors? VPN functionality will be used less for remote workers as direct access methods such as Citrix and other web-based applications become more prominent.  Site-to-site VPNs will likely still exist, but in a much more automated and centrally controlled form. IT departments may always create a business justification for network level access; however, expect VPNs to become scarcer as the technology continues to advance.

In with the new but stay with the old, remember that just because newer security techniques are appearing does not mean we should neglect the basics. If a company doesn’t have an updated list of assets, has never actually tested a restore from a backup, or has never audited user accounts, they’re asking for trouble. We often hear stories of companies who are breached by preventable vulnerabilities – if systems had been implemented correctly or if different security layers were in place, they could have limited the damage of their respective breaches. If a company does the little things right and builds upon that using tools efficiently and effectively, security is achievable. Companies rarely have resources to spot every one of their deficiencies, so it is extremely important to find the right partner to assess the environment, provide a clear roadmap towards remediation, and then reassessment to confirm the security posture is moving in the right direction.

Tips for Everyday Security

As any IT or Security person knows we’re often asked what a normal person can do to stay secure. I have some simple things to consider and some more difficult things to implement for your cyber life. These changes will make accessing your accounts more cumbersome to access. However consider this, if it is harder for the account holder imagine how much more difficult accessing your account will be for a hacker.

Step 1. Use tougher Passwords, I suggest using 10 or more characters with a mixture of lower case, upper case, numbers and symbols. Phrases are very popular now such as I thinkmypasswordisreallysecure2019! but depending on the phrase I’d say be mindful of common phrases. My best advice is use a password manager and utilize a random password generator and set the characters to 16. The longer the password length and more diverse the complexity, the longer it will take for an attempted brute force attack to discover that password. A randomly generated password using all possible characters and 16 characters or more will be nearly impossible to crack.

Step 2. Use different passwords for every site. Insert groans here……. Yes this is a major pain in the ass but it is the truth. When you use a password for any given site you have no idea how securely that password is being stored. As we’ve recently learned from Facebook and other instances of website breaches, websites can leave passwords with weak hashes or even store them in plain text. If your password is compromised in plain text or the hash is broken that leaked password will be associated with your email account. If that email and password are used for multiple accounts odds are that information will be utilized to access your accounts. You need different passwords for each specific site. At the very least do it for the accounts which have access to your money!

Step 3. Use Multi-Factor Authentication for any account that can utilize it. Any bank site, financial services, crypto currency should have the ability for MFA so go ahead and enable it. Use Google authentication with it and avoid the use of email as a MFA method and if it’s the only option SMS will work but a separate app is better.

Step 4 Limit the information you make available about yourself. Facebook, LinkedIn, Instagram, all of these sites have treasure troves of information about us and hackers can and do often use this information to craft specifically targeted attacks. If I see you went to Hawaii in 2014 I may add Hawaii2014 and every variation to it to a password list I’d use to brute force attack your bank account.

Step 5 Turn off any services that are not in use, this goes for phones, tablets and laptops. Turn off Bluetooth for your devices if it’s not in use, turn off sharing and cover your laptop camera. If you have a smart phone you already know your sacrificing privacy for convenience. So don’t act surprised when you talk about buying new shoes and later that day you see shoe ads displayed on news sites you visit later in the day.

Step 6 Nothing is free, if you provide info to a company most likely that company will be selling it. Be conscious of this since anyone can buy that info. Your phone number, address and email are very easy to obtain so hesitate next time before you give that information away and think do I really need to do this? Think of the spam calls your getting all the time (like me) they didn’t make your number up they got it from somewhere.

Step 7 Trust no One… Microsoft won’t call you, your bank probably isn’t calling you (If the bank is calling it may be fraud prevention and they won’t be asking for any money but only to verify recent activity). If you receive a phone call and it doesn’t feel right it’s probably not. If someone calls you and that person is pressuring you to give them money it’s a scam. If you think it could be real, ask for the persons name and extension to call them back. If the answer to that question sounds good, google the info you obtained and see if the number is actually associated with that company or if the name of the person can be found on LinkedIn employed at that company. Don’t trust any one without verifying their identity. Scams are happening every day don’t fall victim to them.

Step 8 Spam Mail Protection if you click a link and it takes you to a login, stop. Close the link and open up a new tab and login to the site through typing it in the address bar or use your bookmark. This practice can help protect yourself in case you do click a link which is a phishing attempt (Spam mail, which has a link to a fake login screen made to mimics a site to steal a users password by tricking the user to enter the info into the fake site). I have a poster below from SANS which will provide a ton of detail regarding the items to look for in a possible phishing attempt. But always remember TRUST NO One!

Step 9 Use an ad blocker for your web browser. Adblock, and Ublock are some good options but more do exist. Ad blockers can help prevent malicious advertisements which can lead to malware installing itself on your device. Blocking malicious ads at the source through an ad-blocker provides an additional layer of security.

Step 10 Avoid using public WiFi for financial transactions. I strongly believe that if it is not a necessity it is best to avoid using any public WiFi to login to any accounts which could lead to identity theft. I feel the same in regards to accessing banking applications over cellular networks. This may be more of a personal feeling and less of proven technical theory but proof of concepts do exist of rouge cellular networks catching data transmitted over 4G. Ideally I’d prefer to only access banking, or other financial sites over a private WiFi connection. However, if you travel often and have to use public or hotel WiFi, I’d suggest utilizing a private VPN for that sensitive traffic. At least with a VPN it will encrypt that traffic over the public wireless connection and give you an additional level of protection. HTTPS should be used by those connections and will encrypt that data but as it is commonly mentioned in security a layered defense is best.

Thank you for reading this information and hopefully it can help keep your information a little safer.

First Jawn of the Month

For the first Jawn of the Month I had to pick Pfsense. I’ve used this open source router/firewall software for many years. I can’t stress enough how much I’ve learned in regards to network security and traffic flow with this operating system. For any entry level IT or Security individuals I would definitely suggest picking up a refurbished desktop on Amazon, load it up with two gigabit NIC cards and install Pfsense on it and learn how to use it. This tool will provide visibility into the incoming/outgoing connections in your network much better then anything you can buy off-the-shelf for home routers. On Pfsense you can create very strict firewall rules, create a VPN or even install an IPS into this system. This jawn is an extremely powerful operating system which can provide a strong layer of defense for a home or small business network. Pfsense has the ability to do many of the same things small business router/firewalls are capable of running. The UI for Pfsense isn’t as easy to use as a SonicWall or Fortigate but if you can use Pfsense those other types of router/firewalls will be much easier to master.

My Pfsense dashboard

Goal of this site

The main reason for this site is to educate anyone I can on the subject of security. The more technology we utilize for our daily lives the more important this becomes. I plan to write articles regarding security from different aspects regarding technology and other jawns. This site may contain articles written by other people as well as articles originating from different sources. If I see an article I think is important I will share it on this site and credit back the original source for that jawn. I hope to cover a wide range of topics as well in the world of technology with the focus on security.