Business Security » Josh More

Policies, Procedures and Politics

In the United States, you might have noticed that we have an event going on. Theoretically, the purpose of this event is to decide the direction the country for the next four years. As is often the case with these discussions, many claims are being made by both sides. Of course, there are then claims upon claims and discussion and action start to spiral out of control. Luckily, we have a document that we’ve created over the years to help keep things on track.

The Constitution of the United States, the Bill of Rights and associated Amendments serve as a reference and a guideline for how to run the country. They break down as follow:

Constitution of the United States, accepted in 1787 – 4,601 words
Bill of Rights, adjustments to the constitution in 1791 – 731 words
Amendments since 1791 – 2,615 words

This means that in the two hundred and twenty five years that the United States has existed as a country, over four hundred million people, their rights, responsibilities and very lives have been guided by under 8,000 words. In general, it’s worked pretty well.

I make this post with two reasons in mind.

1) If you are going to engaging in political discourse within the US, please take the time to read the 8,000 words (and 7% of that is filler like headers and names). It’s only about 12 pages of text (24 double-spaced), and it will help you to uncover lies and arm you to educate the uninformed.

2) If we can run a country for over two centuries with a policy document that is 12 pages long… that most people don’t bother to read, how many do you think read your information security policy manual?

For those that don’t want to bother clicking the links above, below is the text of the US Constitution and all amendments. Please, read it over lunch. You, and the country, will be better off.

Read the rest of this entry »

Horsing around at SchmooCon

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable. Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

2) Separation of Targets

Fortunately, not every business is as behind as most we see. There are many businesses doing security right. They are investing money to protect assets, training employees and seamlessly running operations. These companies are succeeding, and as a result, the gap between “good” and “average” is widening dramatically.

To get back to the horse metaphor, we no longer have a single race. Instead, we have two. In the first, people are riding their horses much as you’d expect. In the second, businesses have invested in security but not operations, dragging their dead and dying horses around the track. These races work very differently and therefore are attacked differently.

If your operations are failing (as in #1 above), your horse may not be worth much. However, if an attacker can get a nice pile of dead horses, they can sell them for glue. In other words, these are the low-level attacks we see every day zeroing in on credit cards, ACH transfers and customer data. Attackers focus on bulk theft and you are just a convenient target.

However, if you have good security AND good internal operations, you’re in a different race. A horse thief focusing on live horses is going to have more options than one who raids the graveyard. The attacker who selects a company with good operations will see greater value from a successful attack. If your company is investing in day-to-day operations, odds are you have some juicy intellectual property to protect. This is where these attackers focus.

In either case, if you’re behind more than half the horses in the race (i.e., below average), you’re going to lose. Remember, the attacker just has to win once… you have to deflect the attacks constantly. The attackers are targeting the easiest in each category first, so as horses vanish from the race, you have to keep improving to stay above average.

3) Defensive Intel Sharing

Finally, there is the true value of an event like Shmoo. The value isn’t in the sessions (though they are great), but in the discussions in hallways and over meals. This is where security people get together and share ideas as to what techniques work to defend against these attacks. We brainstorm and share intelligence. This helps us protect our own little corners of the world better.

To beat the horse metaphor to death, it is as though an international team of horse rustlers (hackers) specialize in stealing horses (your business). Some are great at stealing wagons and have no idea what horse they’ll be getting. Others team up and have one person good at riding horses, one at distracting jockeys and maybe a large animal vet to determine how best to use the newly-stolen horse. They share ideas with other teams as to what has worked and what hasn’t, thus they constantly improve.

At Shmoo, we share ideas that keep our horses from being stolen. It could be as easy as putting better locks on the stables, or as ridiculous as using velcro saddles to keep the jockeys firmly seated. In many cases, it is about small improvements … ways to feed the horses more cost-effectively, or the ability to keep an extra set of eyes on people approaching your stable.

In other words, going to Shmoo isn’t likely to help you, but it will certainly help me help you. Now, let’s talk about your horse.

(Originally posted on RJS Informer)

Password Security and Schools

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

glasses = 13 (5.28%)
finish = 12 (4.88%)
button = 12 (4.88%)
dinner = 12 (4.88%)
oranges = 12 (4.88%)
apples = 12 (4.88%)
letter = 12 (4.88%)
stormy = 12 (4.88%)
gentle = 11 (4.47%)
cupcake = 11 (4.47%)
winter = 11 (4.47%)
butter = 11 (4.47%)
carpet = 11 (4.47%)
joyful = 11 (4.47%)
summer = 10 (4.07%)
middle = 10 (4.07%)
friday = 10 (4.07%)
person = 10 (4.07%)
football = 10 (4.07%)
people = 10 (4.07%)
soccer = 10 (4.07%)

butter32 = 1 (0.41%)
butter27 = 1 (0.41%)
dinner20 = 1 (0.41%)
letter38 = 1 (0.41%)
summer17 = 1 (0.41%)
summer83 = 1 (0.41%)
winter34 = 1 (0.41%)
apples74 = 1 (0.41%)
letter28 = 1 (0.41%)
Password = 1 (0.41%)
summer22 = 1 (0.41%)
letter48 = 1 (0.41%)
winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst. There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.” The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day. In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

Users are assigned completely random passwords
The system required passwords to be at least 12 characters long.
The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen? First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying. Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

base starts at 0
Upper case character base+10
Lower case character = base+10
Number = base+10
Punctuation = base+10
Space character = base+10
Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.” Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

(This article original posted at the RJS Insider)

Security Certification 3/3 – Doing and Teaching

This post is part 3 of a series. Please see posts 1 and 2.

So you’ve learned something. Congratulations. Knowing is half the battle. Sadly, the other half involves actual fighting. This post is on how to fight… or, in this case, demonstrate that you know stuff. (Which is a lot like fighting if you leave all that tedious stuff about hitting people.)

I like to follow the old cliche “Learn One, Do One, Teach One”. So you’ve learned something. The next step is how do you do something with it? Since we’re talking about security, the best option would probably be to stop a bad guy. Sadly, that’s not always feasible. Fortunately, you have some options.

Doing

One thing I strongly suggest is joining an open source project. I used to suggest starting one, but it seems that whenever I said that, someone would run off and make a new network scanner. We have enough of those.

Join a project that uses modules. Metasploit is good. So are SET and NMap. If you’re webby, take a crack at extending w3af. This will force you to understand a system, improve a system and work with others to get your change accepted. In short, it demonstrates everything that a prospective employer wants.

Suppose you’re not a programmer. That’s OK. You can use the tools above to run assessments. Assess your home network to learn how everything works then start calling local non-profit groups. Offer them scan in return for the ability to post a summary of the results online (after they approve the anonymization of the data). Now, there is a bit of risk here, so you might want to investigate error and omissions insurance before hand. At the very least, consider one of the “approval” forms so that you’re protected. Learning the ins and outs of these sorts of assessments demonstrates that you not only have the technical skills, but that you can also use them in a meaningful way.

(Note: Never give anything away for free. This is a scan in exchange for publicly-viewable experience. If you offer to work for free, all you’ll do is get a lot of clients… who also want you to work for free.)

Now, those two paths are all well and good if you’re technical. However, we have some people in this field that aren’t technical at all. There’s nothing wrong with that… but be aware that to be truly successful you have to understand both technology and people. Try to branch out.

If you’re not going to branch out, you can still help an open source project. Documentation on many projects is… well to call it “lacking” would be like calling the Titanic “a boat that encountered a spot of bother”. There’s a lot of need there and a lot of wikis that are fully editable, so get cracking. You might also be able to help with project management, with resolving disputes on mailing lists, or by prioritizing bugs based on user impact. You know, basically doing all the tasks that stereotypical geeks aren’t very good at.

The next step is to promote the fact that you’ve done something. The best way to do this is teaching, and the Internet makes this easy.

Teaching

Teaching is all about sharing knowledge. While the traditional teaching option of holding a class is still viable, it doesn’t give you the same range of exposure as techniques like blogging and vidding. You certainly get a more personal connection by teaching a class and the people consuming your content might absorb it better, but if you’re wanting to build a brand and try to jump into a better job, you have to cast wide. Here are some options:

Basic blogging is much like you’re reading now. Just grab yourself a domain, link it to WordPress and go. The difficulty with blogging is the tendency to lose time to “research”. If you’re new to blogging, give yourself two days (20 hours) of research time on how to blog. A good place to start are the Converstation Archives. Once you’ve done that, build a list of topics and give yourself one hour for each topic. Give yourself 20 minutes to write the content, 20 minutes to edit the content (after waiting a day or so), and 20 minutes to publish the content on WordPress (this includes adding links and images). You can spend more time than that on posts that matter strongly to you (as I did on this series), but be careful not to spend too much time. If you keep trying to make it “perfetc”, it’ll never get published.

Micro-blogging is a lot like blogging, but you say more with less. In the US, Twitter is the most popular micro-blogging platform, but Facebook and Google+ are challenging it. Personally, I find this a very difficult medium. What works for me is to write a blog and then excerpt key phrases from it for micro-blogging purposes. If you’re gifted in this medium, feel free to start here. However, if you use it for professional purposes, please try to avoid the shorthand that’s common in the medium. U wont get jobz talking lik this.

Vidding and podcasting are other techniques that I’m not personally comfortable with, but which work for a whole lot of people. This is as simple as sitting in front of a web camera and talking to an audience that you hope will emerge over time. My attempts at podcasting were all aborted because the editing took too much time. Perfectionism and linear editing do not mix well. I hope to give this a shot again later this year, but we’ll see. It’s very hard for me.

One friend suggests that these techniques are made easier if you have a script. Granted, you have to practice to make sure it doesn’t sound scripted, but this is very good advice. I’ll have to try it the next time I give this technique a whirl.

Graphically-intensive content such as infographics and comics is another way to get the message out. I’ve done tons of infographics (few are public) and a fairly large graphic novel that has been “in progress” for the last five years. The trick here is not biting off more than you can chew. If you are skilled graphically, take a shot at illustrating what you’ve done and sharing it with others. This can be a very powerful technique.

There are tons of other methods. If you think I’ve missed something important, please let me know in the comments.

Conclusion

This has been a lot of text… but hopefully this has answered your certification questions at a very high level and explained how to extend your learning. If you do this, you should gain something more directly useful to you than tacking a few letters to your name. Of course, it’s a bit more complex than this in “real life”.

In addition to what I described here, each certification comes with it’s own community which may or may not mesh with your needs. Personally, I mesh well with the SANS community and not very well with the ISC(2) community… but this is extremely personal. There’s no way to know where you’ll mesh without giving it a try, so pick the certification based on what you need to learn and figure out the social aspects once your certification grants you access to a community.

Similarly, the “doing” and “teaching” phases only work if you dedicate enough time to them. Your journey doesn’t end when you get the certification, so if you can’t devote the time from your life to complete the process, you should seriously reconsider whether to even get a certification in the first place.

However, if you can afford the time to learn, do and teach, you should see your professional life advance extremely quickly.

Security Certification 2/3 – Learning

If you’re reading this post, it is assumed that you’ve already read my post on what certifications are for. If not, go there and check it out. This post details my method for comparing certifications.

First, go to each certification’s website and review each certification’s pre-requisites. If you don’t have any of them, it’s probably not wise to do the next step with that one. While I recommend challenging yourself and pursuing a certification for which you do not have all of the pre-requisites, if you have absolutely none of them, you’ve identified what you need to learn and that the certification you are considering will not teach you that.

Second, consider your career trajectory… then throw it away. Some certifications have specific paths that are laid out for you. If you go into the CISSP world, you’re “supposed” to be a manager. If you use Offensive Security, you’re “supposed” to be a penetration tester. While it’s true that these certifications have somewhat high value in these areas, increasingly, security practitioners are expected to know a bit of everything and be good at what they’re good at. It’s about the learning process. Unless you have no interest in learning (in which, go away, this post is not for you), you’ll be better off picking a certification based on what you’ll learn from the process. If you pick a career path laid out for you by someone else, you’re not only trusting your life to guesswork… but to someone else’s guesswork. For example, my grandfather gave me my first computer because it was the wave of the future… but also gave me a slide rule… “because you’ll need to be able to take something into the field with you”. If you’re going to screw up your career path, at least do yourself the favor of doing it to yourself so you can analyze why you wound up where you did and can correct from there.

Third, review what the different certifications cover. For each topic covered, give yourself a rating based on how well you know the topic.

0 = No idea what the topic means
1 = Have a bit of clue about the topic, maybe played with it in a lab
2 = Have done this professionally or played with it a lot in a lab environment. Still have room to learn.
3 = Have done this enough to consider yourself something of an expert
4 = Understand this topic inside and out. Comfortable teaching it to others.

Now, take an average of all your ratings and divide it by four. This will give you a percent of what you already know from what the certification will teach you. Subtract this from 100% to get the amount you will learn from the certification.

Fourth, you have to factor in your time. Most of us have a loaded rate for work that includes salary and benefits. If you know this number, use it. If not, take your hourly rate (convert if you’re salaried) and multiply it by 1.5. If you’re unemployed, figure out what you’d charge doing freelance work. You can quibble over this all you like. Really, you’re just measuring the cost of the time it takes to gain a certification, as that time could be used to boost your skills by working overtime at your day job or doing freelance work in the evenings.

Finally, estimate the time you’ll spend on the certification, multiply it by your rate, add the certification costs and you’ll have a dollar estimate. Take your learning percentage and divide it by the dollar estimate and you’ll get you a number that you can use to compare how valuable that particular certification will be for you.

In other words, Value = (Learning Percentage) / ((Time Spent * Hourly Rate) + (Cost of Certification)). When comparing certifications, the highest value wins.

Here are two examples. Since a lot of the information about tests is hidden behind registration links, I won’t do a complete analysis… just enough to give you an idea of what I’m talking about. In this, we’ll assume that my time value is $50/hr. Basically, I am choosing this number because it makes the math easier and should be in line with a mid-level career person that loves learning enough to drop the “personal cost” a bit. If you’re entry level, it’ll be lower. If you’re well seasoned and have other hobbies, it’ll be higher.

Note: I am also assuming a “zero” time cost to taking in-person classes. There is actually a time cost here, but for most people, it’ll be incurred by your organization, not you. If this isn’t the case, add the time cost back in.

Example: CISSP-ISSAP

This certification would extend my existing CISSP to focus on architecture. Reviewing the Candidate Information Bulletin, there’s a lot of information covered. Here are the first two domains. My score for each point is in brackets at the end. (The typo for “Methodology” is theirs… sorry.)

1) ACCESS CONTROL SYSTEMS AND METHODOLGY
A. Apply Access Control Concepts Methodologies, and Techniques
A.1 Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege) [4]
A.2 Access control administration [4]
A.3 Identification, authentication, authorization, and accounting methods [3]
A.4 Identify and access management architecture [3]
B. Determine access control protocols and technologies (e.g., RADIUS, Kerberos, EAP) [3]

2) COMMUNICATIONS & NETWORK SECURITY
A. Determine Communications Architecture
A.1 Unified communication (e.g., convergence, collaboration, messaging) [2]
A.2 Transportation mechanisms (e.g., voice, facsimile) [4]
B. DetermineNetworkArchitecture
B.1 Network types [3]
B.2 Protocols [3]
B.3 Securing common services (e.g., wireless, email, VoIP) [4]
C. Protect Communications and Networks
C.1 Firewalls [4]
C.2 Gateways, routers, and switches architecture (e.g., access control, segmentation, out-of-band management) [4]
C.3 Detection and response [4]
C.4 Content filtering [4]
C.5 Device control [4]
D. Identify Security Design Considerations and Associated Risks
D.1 Interoperability [2]
D.2 Audit requirements (e.g., regulatory, legislative) [3]
D.3 Security configuration (e.g., baseline) [4]
D.4 Remote access [4]
D.5 Monitoring (e.g., sensor placement) [4]
D.6 Network configuration (e.g., physical, logical, high availability) [4]
D.7 Operating environment (e.g., virtualization, cloud computing) [4]

So, for the first two domains of the CISSP-ISSAP, we get (4+4+3+3+3+2+4+3+3+4+4+4+4+4+4+2+3+4+4+4+4+4) / (22 * 4) = .886 for a “known” ratio. This means that the percentage that I have to learn is 11%.

Now let’s look at costs. The official textbook runs $80. The review class runs $2,195. The test costs $449. And the certification costs $82.50. (Not required, but included because the GIAC cert comes with passing the test and we want to be as fair as possible.)

So, we have two options.

* Take the full in person class (assuming the course book is included with the class) $2,195 + $449 + $82.50 = $2,726.50. Add to this, study time of 20 hours at $50/hr and you get $3,726.50
* Wing it with the textbook $80 + $449 + $82.50 = $611.50. Add to this study time of 40 hours, and you get 2,611.50

So, if I were to take the in person class, I’d get a learning value of 11/3,726.50, or 0.295%. If I were to wing it, my learning value would be 0.42%… but the burden of the work would be on me.

Example: SANS/GIAC GXPN

Let’s compare this to the SANS/GIAC Advanced Penetration Testing Essentials / GXPN option. Looking at Day 1, we have the following list of learning objectives:

Low profile enumeration of large Windows environments without heavy scanning [1]
Strategic target selection [2]
Remote Desktop Protocol (RDP) [1] and man-in-the-middle attacks [1]
Windows network authentication attacks (e.g., MS-Kerberos, NTLMv2, NTLMv1, LM) [2]
Windows network authentication downgrade [0]
Discovering [3] and leveraging MS-SQL for domain compromise without knowing the sa password [1]
Metasploit tricks to attack fully patched systems [1]
Utilize LSA Secrets and service accounts to dominate Windows targets [1]
Dealing with unguessable/uncrackable passwords [2]
Leveraging password histories [1]
Gaining graphical access [2]
Expanding influence to non-Windows systems [3]
Exploiting single sign-on systems [1]
Escaping restricted desktops [1]

So, for the first day of this class, we get (1+2+1+1+2+0+1+1+1+2+1+2+3+1+1) / (15*4) == .333 for a “known” ratio, or a learning percentage of 67%.

Looking at costs, it’s a tad more complex, with more options, but fewer parts. The vLive version of the course costs $4,370. The Self Study option costs $3,916. The Conference version costs $4,595. For all options, the test costs $549.

So we have three learning ratios to calculate:

* Self Study: 67 / ($3,916 + $549 + 60*$50) = 0.89%
* vLive: 67 / ($4,370 + $549 + 40*$50) = 0.97%
* Conference: 67 / ($4,595 + $549 + 20*$50) = 1.09%

Example: CISSP-ISSAP vs SANS/GIAC GXPN

So, as you see, even though it’s the most expensive option, you maximize learning when compared to time and dollar costs with the GXPN Conference option.

Certification	Option	Cost	Learning Value
CISSP-ISSAP	Class	$3,726.50	0.295%
CISSP-ISSAP	Self Study	$2,611.50	0.42%
GXPN	Self Study	$7,465	0.89%
GXPN	vLive	$6,919	0.97%
GXPN	Conference	$6,144	1.09%

Now, there are a LOT of variables at play here. If you mis-estimate the time you’ll spend or the amount of money your time is worth, you’ll get drastically different values. So think about these numbers carefully before before you decide for certain which certification to pursue.

Once you’ve followed this process, you’ll have an idea as to which certification to pursue. If you are in this solely for the learning, stop now. The next post is not about certification but focuses on extending your learning in a way that is visible and gets you both known in the community (building the Who You Know) and in gaining and demonstrating experience.