Saturday, December 31, 2016

2016 InfoSec Tweet Awards

Welcome back good reader.  This year marks the 5th Annual InfoSec Tweets Awards!  It's hard to believe I've been doing this for half a decade.

In 2016 I reduced the number of accounts I follow and I'm not as obsessive about reading every tweet, but there were still plenty of gems to choose from.

As in previous years, there are no actual awards.  These are just funny or thought provoking tweets that I've "favorited" over the year (I still refuse to call them "likes").  As always, categories are completely arbitrary and I make them up as I go along...

Best Tweet Inspired by a TV Show

Best Tweet Inspired by a Movie

Best Tweet About CISSPs

Best Tweet About Auditors

Best Tweet About DevOps

Best Tweet About A Text Editor

Best Tweet About Education in InfoSec

Best Tweet About Skill Shortage in InfoSec

Best Tweet About Travel (tie)

Best Tweet About Dating in InfoSec (tie)

Best "Threat Landscape" Tweet

Best Poem in a Tweet

Best InfoSec Analogy in a Tweet

Best Tweet Telling It Like It Is

Well, that's a wrap for 2016.  I know this year has sucked for a lot of you.  We've lost loved ones and those who inspire us, but this does not diminish the impact they've had on our lives and the people we are because of them. With that said, on this New Year's Eve, let us celebrate the good things in our lives and cherish those who are still with us.  I wish you all health and happiness in 2017 and hope to see many of you soon.  

Happy New Year!

Friday, December 30, 2016

Defeating the Rebellion with Security Controls: A Star Wars Story

The weekend Rogue One: A Star Wars Story was released a conversation started on Twitter discussing the missteps made by the Empire which inevitably lead to the theft of the Death Star plans.  To avoid spoiling the movie for everyone, Wolf Goerlich (@jwgoerlich) and I moved the conversation to direct messages.  He has since posted two great videos, "Rogue One and InfoSec" Part 1 & Part 2.  You can find them on his informative YouTube series, Stuck In Traffic with Wolf Goerlich

What follows are my thoughts on the controls the Empire could have implemented to thwart the Rebellion.


Prohibit BYOD (Bring Your Own Droid)

From R2-D2 to BB-8 it seems everyone has their own personal droids in the Star Wars universe.  Most are designed with a specific task (Astro Mechs, Protocol Droids, etc.) but all are capable of storing large quantities of data and many are equipped with universal Scomp Links or computer interface arms that allow them to access any computer terminal.  Had the Empire prohibited BYOD and implemented network access controls then unauthorized assets (droids) would be unable to connect to computer terminals in the first place.

Design Review

In Rogue One, Galen Erso is the unwilling head of the Kyber Crystal Research Team working on the Death Star.  In this role he was able to architect a flaw in the reactor that would lead to its destruction during the Battle of Yavin.  In the movie, a holo-recording of Erso recounted how he had made himself indispensable, "all the while laying the groundwork for revenge."  He accomplished this by, "placing a weakness deep within the system, a flaw so small and powerful that they will never find it."

The construction of the Death Star was a massive undertaking, one executed with military precision.  This should have included extensive reviews of the initial design as well as architectural, electrical, mechanical (and crystalic?) inspections during construction.  Appropriate checks and balances would have prevented this flaw from being introduced.

Asset Management and Clearance Code Revocation

During the escape from Eadu the rebels steal an Imperial cargo shuttle.  This ship contains clearance codes that allow them to pass through the shield gate and land on Scarif.  Chronologically this may be the first time this tactic was used, but as we have seen in Return of the Jedi, the Rebel Alliance would later steal a shuttle in order to bypass the deflector shield and land on the forest moon of Endor.  Had the Empire implemented better asset management they would have known these shuttles were stolen and could have revoked the clearance codes.  The Empire may have even gone one step further by implementing a system that would allow them to remotely disable the engines on stolen star ships.

Two-Factor Authentication

Upon gaining entrance to the citadel tower (simply by donning stolen uniforms) Jyn and Cassian access the data vault by placing the hand of an unconscious officer on a biometric pad.  While some argue that biometric authentication is better than a password, by requiring a combination of the two, the Empire could have prevented access to its sensitive proprietary information.

Data Encryption 

Once inside the data vault, Jyn and Cassian were met with a six story shaft containing a spire filled with "data tapes".  The design is reminiscent of a StorageTek 4400 ACS tape library. Following the identification of the correct tape and Jyn's harrowing escape, she makes her way to the satellite dish in order to transmit the plans to the Rebel Fleet.  Once received, the data is transferred to several different forms of media before finally landing in the hands of Princess Leia who included them with her message to Obi-Wan Kenobi inside R2-D2.  Had the Empire encrypted this data the rebellion would have likely ended on Scarif, the Battle of Yavin would never have taken place, and the Death Star would have gone on to destroy countless other planets.

Final Note 

While it's easy to point out the shortcomings of the Empire, the lack of controls are all too prevalent in the real world.  There are plenty of reasons these controls might not have been implemented.  The Death Star was a massive undertaking.  It is possible that all resources were diverted to its construction and any budget for controls were denied.  Perhaps in a galaxy far, far away there exists an InfoSec skill shortage.  Lastly, it could be the culture of arrogance that was prevalent throughout the Empire.  After all, who could hack the all powerful Galactic Empire?

Thursday, January 14, 2016

Breaking Into Security: A Compendium

Like most Information Security practitioners, I am frequently contacted for advice on breaking into this industry.  Rather than write yet another blog post on the subject, I thought it would be more beneficial to collect a variety of quality posts covering different aspects of the industry and provide them as a quick an easy reference.

In reverse chronological order:

Starting an InfoSec Career – The Megamix   Lesley Carhart (@hacks4pancakes)
If you have no idea where to start then begin here.  Hacks4pancakes has done an amazing job and her "Megamix" is probably the most comprehensive series of articles on breaking into security.
How to become a pentester   Peter Van Eeckhoutte (@corelanc0d3r)
Corelanc0d3r is the go-to guy for training when it comes to exploit development.  He has written an extensive post covering time, effort, and the general mind set of a pentester.  He also provides links to resources and a list of companies willing to hire inexperienced pentesters.
20 of the Most Misguided Beliefs About InfoSec   David Spark (@dspark)
While this is not technically a "how to break into security" post it does debunk a lot of common misconceptions about security which can be just as valuable when starting your career in InfoSec.  
Answers on how to get started in Security   Chris Gates (@carnal0wnage)
Chris provides sound advice on getting started in pentesting, but the best part of this post is the list of book recommendations sorted by area of focus (pentesting, netsec, webappsec, social engineering and physsec/redteam)
Finding And Using A Mentor   Wolf Goerlich (@jwgoerlich)
In Wolf's blog post he expands upon a recent Forbes article on mentorship and provides the InfoSec perspective on finding and benefiting from a mentor.  He's also recently posted a Career Advice Video (avalable here).
How to Build a Successful Information Security Career   Daniel Miessler (@DanielMiessler)
Dan's post includes the usual advise for starting out but also addresses the areas in which you will need to grow as your career progresses.
Education & InfoSec   Steven Maske [me] (@ITSecurity)
This was my personal take on all the different ways you can learn our trade.
Hack the Hustle! [Video]   Eve Adams (@HackerHuntress)
Think you know how to write an InfoSec resume?  Are you sure?  Find out from a respected technical recruiter who understands the needs of our industry.

Thoughts On Being Asked “How Do I Get Into INFOSEC?”   Scot Terban (@Krypt3ia)
A (surprisingly calm) reality check from my favorite security curmudgeon.  Read this for an idea of the expectations that you will face IRL. TL;DR: InfoSec is not for those without dedication. 
How To Break Into Security   Brian Krebs (@briankrebs)
If you don't know who Brian Krebs is, you will.  He is one of the more well known reporters in our industry and his site, Krebs on Security is one of the few InfoSec news sources that is read by people outside of our industry. Back in 2012 he conducted a series of interviews on how to break into security.