Wednesday, December 31, 2014

2014 InfoSec Tweet Awards

Welcome to the third annual InfoSec Tweet Awards!  These posts continue to be some of the more popular blog entries on SecurityRamblings.com so I feel compelled to continue the series.
As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the last year. Also, you will notice that the categories have changed.  This is because they are completely arbitrary. I make them up as I go along. So without further ado...

Best Tweet Inspired by a Movie


Best Tweet Inspired by a Song (Tie)



Best Tweet Inspired by the Holidays (Tie)



Best Tweet on How to be a Hacker


Best Tweet About Linux


Best Tweet About Metasploit


Best Tweet About Medical Devices


Best Tweet About The Cloud


Best Tweet About Cryptography


Best Tweet About Two-Factor Authentication


Best Tweet About Silk Road


Best Tweet About "Named" Exploits


Best Tweet About Attribution (Tie)



Best Tweet Explaining the Sony Breach


Best "Fake" Tweet


Best "Get Off My Lawn!" Tweet


Best Twitter... um... –er

Last but not least we have the "award" for the person who posted the best overall tweets of the year.

And the winner is.... InfoSec Taylor Swift (@SwiftOnSecurity)! InfoSec Taylor Swift is an unusual account. On one hand it's an obvious parody of a celebrity with a humorous slant towards information security. On the other hand she (he? they?) offers legitimately sound advice in 140 characters or less. The quality is such that news outlets have quoted the account and the new web site associated with it, decentsecurity.com, has the potential to become a solid resource for InfoSec fundamentals.

If you follow one new account this year it should be @SwiftOnSecurity. Below are a few gems from 2014:

Serious Tweets:


Funny Tweets:


This concludes the 2014 Tweet Awards. Please feel free to share your favorite tweets in the comments below. I wish you and yours a very Happy New Year!


Monday, December 15, 2014

Don't Click

As I'm sure the readers of this blog will know, way back on
June 20, 2011, the ICANN board voted to end restrictions on TLDs. This paved the way to expand the number of TLDs (22 at the time) to include over 400 gTLDs (Generic Top Level Domain).  Most of the new gTLDs were sponsored by companies and organizations willing to pay the $185,000 application fee.  In November 2013, these new domains began rolling out a few per month.

Many domain registrars are offering free pre-registration for the new gTLDs.  Like a good little geek I immediately skimmed through all the options and reserved a couple dozen domains.  There are some real gems in my list but I'll keep them to myself until their respective gTLDs go live.  I don't want to lose them in the land rush :)

So what's my point?  Basically I wanted to share my first gTLD and solicit ideas for its use.  Without further adieu I present:

http://dont.click


What do you think?  What would you do with this domain?  Please leave your suggestions in the comments below or hit me up on twitter (you'll find me as @ITSecurity).  Thanks in advance.



Tuesday, September 9, 2014

Book Review: The Basics of IT Audit


Full Disclosure: I was the Technical Editor for this book. While some may say this makes my opinion biased, I believe this has made me more critical of the finished work.


The Basics of IT Audit: Purposes, Processes, and Practical Information by Stephen Gantz is the latest in "The Basics of" series by Syngress.

It is intended to "provide you with a thorough, yet concise overview of IT auditing. Packed with specific examples, this book gives insight into the auditing process and explains regulations and standards such as the ISO-27000, series program, CoBIT, ITIL, Sarbanes-Oxley, and HIPPA."

At 270 pages it is one of the longer books in this series and like the others, is intended to provide a high level overview of the subject matter. It begins by explaining the reasoning behind auditing and quickly moves into the different roles and responsibilities that one can expect during an audit engagement. The book dedicates separate chapters for internal and external audit as well a chapter explaining the different types of audits.

It goes on to spend several chapters breaking down the components and life cycle of an audit before delving into the different methodologies and frameworks available (NIST, ISO/IEC, COBIT, etc.). The book ends by providing an overview of Audit-Related Organizations, Standards, and Certifications.

All-in-all The Basics of IT Audit is a good primer for anyone just getting started in IT Audit or students pursuing a degree in IT Assurance. The book also does a great job demystifying the audit process and is recommended for anyone in IT who may be involved in their company's audit process.


Get this book at: Amazon | Syngress


Friday, June 13, 2014

Education & InfoSec

Yesterday the question was asked, "do you see a bump in pay-grade commensurate with the cost of a Masters?"  This got me thinking. There are numerous blog posts on how to break into security but I've rarely seen a blog post on education, especially given how often this question is asked. In this day and age there are numerous options available. Below are my experiences with the various forms of education and recommendations for someone new to the InfoSec industry.

"Traditional" Education

To begin, I did go to college. Back in the 90’s there was no such thing as an Information Security degree. Even IT degrees were still somewhat scarce. The best option available was a Computer Science degree that more or less taught programming fundamentals. At the time, classes were simplistic. One actually began with the professor holding up a 3.5" floppy saying, "This is a floppy disk". I often found I could complete the lab assignment and homework before class ended.

Recommendation:
Is a degree needed to "make it" in IT or InfoSec?  In a word, no. Some of the smartest, most technically competent people I know have no formal education. Nevertheless, I would recommend getting a degree. It can be difficult to make it past keyword filters and HR gatekeepers without this check box. Ideally, when you graduate you'll also walk away with soft skills that many IT/InfoSec professionals are lacking.


Internship

After a few years bouncing around different colleges I entered into an internship. I had a good mentor and learned more in those 10 weeks than in all my classes combined. At the end of the internship I was offered a full time position. Not wanting to give up on my education I transferred to the University of Phoenix and completed my last year online.

Recommendation:
Do it. Find an internship or take advantage of a mentorship program. There is no substitute for experience and you will never learn more than when you get your hands dirty. These are the times when you have more leeway to make mistakes and if you're not making mistakes you're not trying hard enough (or are not being challenged, in which case get a new mentor).


"Advanced" Degree

After completing my undergraduate degree I decided that if I was going to pursue an advanced degree I shouldn't wait. I was already in the student mindset and it would be easier to stay in "college mode" rather than return later in my career. I took a year off, then after an additional two years of education, I walked away with a shiny new Master's degree.

I'm often asked if I see value in my degree. Honestly, I'm not sure I do. Outside of positions with a college or university (or in executive management) I have not seen many InfoSec jobs that require an advanced degree. I also have not seen higher wages as a result of my Master's. In fact, I've been told I was passed over for a position because the company felt my education overqualified me and they believed I would not stick around.

Recommendation:
I've said publicly in the past that an advanced degree may have been a mistake on my part. Education is expensive and I can't say there is an adequate ROI. Even with employer contributions, I will be making student loan payments for many more years.

When deciding, take a good hard look at what area of InfoSec you want to work in and which industry. Look at job listings and talk to people in those positions to determine if an advanced degree is worth it. Also, take your time looking into a degree program. There are a lot more options than when I was in college. Find a curriculum where you will actually learn something and not just walk away with an expensive piece of paper.

Final thought: I still consider my career to be relatively young (13 years). I may find that my degree has greater value later in life.


Certifications

Certifications are another highly debated topic in the InfoSec industry. Over the years I've accumulated a handful of them at my employers' behest (CISA, CISSP & Six Sigma Green Belt). Realistically, I probably wouldn't have picked these up on my own dime but they do have some value.

Recommendation:
Not all certifications are created equal. Some have far more value than others. If you want to learn something and earn a certification that is respected, look at SANS training and certifications. If you are interested in a career in pentesting look at the OSCP and the other Offensive Security certifications.

The value of the CISSP is hotly contested. While many people believe it has no real value, this sentiment has started to sway. I attribute this to the election of Wim Remes (@wimremes), Dave Lewis (@gattaca) and Jennifer Minella (@jjx) to the (ISC)2 Board of Directors. These individuals have taken up the challenge of making the CISSP relevant and not just a check box to get passed HR.


Conferences

The value of InfoSec and Hacker conferences is immeasurable. Not only is there the opportunity to learn, but the networking possibilities are endless. The InfoSec community is one big family and you will likely make many friends and possibly meet future coworkers.  I make it a point to attend 3-5 a year.

Recommendation:
Conferences are a must. Don't worry about expensive events like RSA or BlackHat unless you can get in with a student or press pass. Even if your company is willing to pay for it, you'll likely have a limited education budget that can be stretched further at other events. Many quality conferences only cost $150-$200. BSides events are held all over the world and range from FREE-$20.

Training at conferences is also a bargain. You can usually get 2-3 days of quality training for $1000 (which includes entrance to the conference).

If you can't afford travel, check out SECore.info for conferences near you. If you can't afford the cost of registration, consider volunteering. The organizers can always use help and it's a great way to network. You'll have plenty of time to see talks as well.


Independent Study

People who are successful in this field are people who enjoy what they do and spend a significant amount of free time learning. In addition to my day job I spend 15-20 hours per week absorbing new material.

Recommendation:
Find an RSS reader you like (some suggestions here) and subscribe to InfoSec blogs. Listen to podcasts. Spend time on SecurityTube.net and YouTube (I highly recommend Adrian Crenshaw's channel). Join twitter and follow other security practitioners. Learn to code in Python or Ruby and open a GitHub account.

Build a lab. You'll learn by doing. Download tools, spin up VMs (check out Kali and Metasploitable) and spend time familiarizing yourself with them.

Lastly, explore. There's much more information out there than you will ever be able to learn.


Monday, February 10, 2014

Review: Alyssa Milano's "Hacktivist"

When news hit that Archaia Entertainment would be releasing a title called "Hacktivist" the security community let out a collective groan.  The skepticism was not abated when Alyssa Milano was attributed to the project.  How can the Hollywood actress best known for her roles on the television series' "Who's the Boss?", "Melrose Place" and "Charmed" write a comic about a subject that is regularly misrepresented in the media?

In truth Ms. Milano is more than just an actress and author.  She is the Founding Ambassador for the Global Network for Neglected Tropical Diseases and a UNICEF Goodwill Ambassador for the United States.  Her trips to India, Kosovo, and Angola in support of these missions have at least given her some exposure to the regions portrayed in this story.  Ms. Milano had this to say about her inspiration:
"I’m very involved with global activism and philanthropy. I like the idea of everyday people doing good.  My inspiration for Hacktivist is actually Jack Dorsey, the creator of Twitter and Square. I picture him leaving the office at night and going home, where he locks himself in his room and starts hacking to change the world. 
"I felt Hacktivist was a strong story that I really wanted to tell visually.  Doing a graphic novel allowed me to dream big and it gave me the freedom to create without boundaries."
I can't say that I see Mr. Dorsey in the same light. There's a big difference in hacking to be innovative versus attacking companies and governments.

While the comic seems to be Ms. Milano's concept she is only listed as the creator.  The story is credited to Jackson Lanzing and Collin Kelly.  Both of these authors are relatively unknown so it remains to be seen how they will influence the narrative.

Characters 

The publisher describes Hacktivist as:
"a fast-paced cyber-thriller about friendship and freedom in a time of war. The story follows Ed Hiccox and Nate Graft, the young founders of the world’s most innovative social media company who moonlight secretly as one of the most notorious black-hat hacker teams on the planet. When the U.S. government discovers their operation, they must face the real world beyond the code and choose between loyalty and what they believe to be is right."
Personality wise, the characters read as a blend of Mark Zuckerberg and Anonymous, but with personalities at either end of the spectrum.  Ed is a suit-wearing savant who would rather spend his free time memorizing traffic patterns.  Nate is a jeans-and-hoody-wearing non-conformist who would rather spend his evenings throwing a party that, "makes Gatsby look like a bounce house."

"Hacktivist" is a four issue mini-series so the story has yet to delve into the characters' motivations but the plot is interesting enough to warrant spending a couple of bucks on each issue.

Technical Merits

If you work in information security, don't read this comic expecting familiar jargon or novelty screenshots of nmap and Metasploit.  I doubt they consulted any experts when they wrote dialog such as, "and now they're plugging us into an onion router" and the verbal exchange depicted below:

click to enlarge
I tend not to get too worked up about trivial inaccuracies in entertainment media (movies, television, books, comics, etc.).  The purpose of these stories is to entertain the general public who doesn't particularly care if a scene is technically accurate.  No doubt doctors, lawyers and other professionals can point out issues with how their profession is portrayed.

Verdict

Whether you are a comic book reader or not, the first issue of "Hacktivist" was entertaining.  Without giving anything away, the issue leaves the reader wanting to know what happens next.  "Hacktivist" is a fully contained story with a beginning, middle and end (not always the case with comics).  If you don't like cliff hangers, you can wait until all issues have been released or wait for the trade paperback to be published.

You can pick up a copy of "Hacktivist" at your local comic shop or a digital copy at Comixology.com.



Controversy Around The Word "Hacktivist"

Back in July (2013) TechDirt obtained one of the 500 preview copies of Hacktivist that were distributed at San Diego ComiCon. They published an article where TechDirt noted that "HACKTIVIST™ is © and TM 2013 by Alyssa Milano."  As you can imagine this caused some stir in the Information Security community.  To her credit Alyssa Milano spoke up on Twitter and directed inquires to the publisher.  Archaia quickly followed up with a post clarifying their claim.  In it they state:
"Archaia and Ms. Milano do claim trademark and copyright protection, as appropriate, for the book, the title, the characters, and content included of The Hacktivist. However, no claim is made to other uses of the term ‘hacktivist.’ In accord with Ms. Milano’s wishes, we support the attention to the issues of philanthropy and activism."






Friday, February 7, 2014

Lessons Learned: Speaking at a Security Conferance

SOURCE Boston was kind enough to take a chance on me and on April 17, 2013 I gave my first talk at a security conference.  The video was finally released this week so I though it a good opportunity to run down my lessons learned.

I fully admit I was anxious and acknowledged I made quite a few mistakes.  I've given small presentations in the past however, I was always the subject matter expert in the room and felt confident I would be able to speak with authority and answer any questions.  This time I was speaking in front of my peers, many who are wiser and more experienced than I.  Looking back I recall seeing Jack Daniel, Andy Ellis, Josh Corman, Bob Rudis and Ed Skoudis (just to name a few).  The room was small, it could accommodate maybe 50 people and there were about 35 people in attendance.  I'm not sure if this made it easier or more difficult.  On one hand, if I embarrassed myself it would only be in front of a handful of people, however, the small venue made it more intimate.

Below are the lessons learned throughout the process.  Some of these I was able to incorporate before the talk, others I didn't think of until after the conference.

Submitting a Talk:  When you've chosen a topic make sure you give yourself plenty of time to submit. Deadlines can creep up on you.  Also, make sure you follow the instructions.  One thing I constantly hear from conference organizers is that they will reject quality talks if they do not follow the required formatting.

Start Working Right Away:  As soon as your talk is accepted start working on your presentation.  It may seem like you have plenty of time but life inevitably gets in the way.  Business trips, unexpected workload and family events can consume your time.  In my case, a death in the family monopolized a significant amount of time and drained a lot of my motivation to work on my talk.

Practice, Practice, Practice:  This one should be obvious.  Get your presentation done early so that you can rehearse your talk.  If you're anything like me you'll be surprised at how often you tweak the content.  Start with a written script, graduate to note cards and eventually your slide deck should be all you need to give your talk without thinking.

Slides:  Slides should not contain your entire talk.  These should be used to visually supplement your material. This is where you can add pictures, charts and graphs to illustrate your point.  Bullet points should be high level and the font should be large enough to read from the back of the room.  In most cases a talk should be able to stand on it's own so if there are technical difficulties you can continue without slides.

Dry Run:  If you have the opportunity, give a preview of your talk somewhere else.  Most cities have organizations that are looking for speakers (DefCon Groups, ISSA or ISACA chapters, local "city sec", etc.).  This is a great opportunity to practice your talk in front of a live audience and get honest feedback that you can incorporate later.  If you can't find a meeting, try to arrange a Skype call or Google Hangout where you can present in front of a small group.  You'll be surprised at how many people are willing to give you feedback.

Film Yourself:  No one is going to be as critical as you are to yourself.  Watching your own talk will help you work on your timing, get rid of the "ums" and "ahs" and get you to move about (this engages the audience and prevents you from looking stiff).  The dry run mentioned above is usually a great opportunity to film yourself.

Title:  It can be tempting to come up with a witty title for your talk.  This can draw attention and you may get a better turn out.  Just don't get too carried away.  You want people to still know what your talk is about.  In my case I went too far in the other direction.  I titled my talk, "Hacking Back Is A Bad Idea".  This gave away my opinion and may have dissuaded people from attending who did not share my view.  In retrospect, a more appropriate title may have been, "Hacking Back: Is It Right For You?"

Questions:  If you finish your talk early or plan to leave time at the end, you'll have the opportunity for questions.  In a large room you will want to repeat any questions asked.  You're the only one with a microphone and the rest of the audience may not hear the question.  In my case, the room was small enough and the discussion lively enough that I did not feel the need to interrupt to repeat comments and questions.  Unfortunately, this means they were not captured on the recording.

Hopefully you can learn from my mistakes.  I've embedded my video and slides below.

Please be gentle :)