You can't secure what you don't acknowledge.SM

Wednesday, June 21, 2017

Using Centrifuge for IoT security testing

I love hacking things, especially new things like what's showing up on networks around the globe in the form of IoT. If IoT security is anywhere on your radar, you're likely incorporating these devices into your security testing program. Well, there's a new IoT security assessment tool in town that you need to know about called Centrifuge brought to you by Tactical Network Solutions - makers of the former (and awesome) Reaver Pro tool

Centrifuge is a cloud-based platform that can reverse engineer binary firmware files and analyze them for security flaws. It supports various IoT systems, including firmware from common routers and network devices from Belkin, D-Link, and Linksys, and finds some interesting stuff. For example, here's the platform showing the file structure from an older Netgear R7000 wireless router's firmware:

And here's the output of Centrifuge's crypto analysis...note the public and private keys uncovered:


The most telling is the number of vulnerabilities uncovered (an amazingly scary number of command injections and buffer overflows in just one product's firmware) as shown here:

IoT poses formidable security threats to both end consumers and businesses alike and those of us in IT and security need to be paying attention. We simply cannot rely on IoT vendors to keep things in check. Instead, we have to find and resolve security flaws ourselves and establish compensating controls where possible. Clearly, there's a lot going on in terms of IoT least we have tools like Centrifuge coming to market to help us further the cause.

Monday, May 15, 2017

The real reasons behind the WannaCry ransomware

As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges.
  • Outdated/unsupported operating systems are running. We are responsible.
  • Patches are not getting installed in due time. We are responsible.
  • People are clicking links and making other bad decisions. We are responsible.
  • Stuff is happening on the network, sight unseen. We are responsible.
  • Policies are ignored. We are responsible.
  • Unfunded mandates still exist. We are responsible.
  • Systems – even entire network environments – remain untested. After all, you can't secure what you don't acknowledge. We are responsible.
  • Underscoped and unauthenticated vulnerability scanning and penetration testing paints an inaccurate picture of the average security posture. We are responsible.
  • Incident response procedures remain undocumented. We are responsible.
  • Credibility and relationships are essential for mastering information security, yet we continue to focus on everything but that. We are responsible.
  • Information security continues to be seen as IT's problem. We are responsible.
I don't know how many more widespread breaches we'll have to endure but I do know that everyone has a hand in these challenges before us. We can continue down the path of promising that we are compliant and secure when we are, in reality, reacting aimlessly to everything that happens. I know that managing enterprise IT environments is not easy and I certainly don't envy anyone responsible for securing them. Still, there is so much that most organizations are leaving on the table. But, why?

Is it people protecting their territories under the guise of long-term job security? Perhaps it's lack of budget or management buy-in? Maybe it's an out-of-control user base continuing to not think before they act...?

Whatever it is, it needs to change. The criminal hackers and those supporting them are not going away. In fact, they look at issues such as the WannaCry ransomware outbreak as yet another reason they need to keep doing what they're doing. As the saying goes: change before you have to.

Monday, May 8, 2017

My CSO interview/story: What it takes to be an independent information security consultant

I'm very honored to have been interviewed recently for CSO Magazine about my background and what it takes to stand out - and survive - as an independent security consultant. Check it out here:

Thanks for the nice write-up, Bob Violino!

Monday, April 3, 2017

People will violate your policies all day long...if you let them.

I recently saw this out in front of a local restaurant where management was trying to resolve parking, sidewalk access, and traffic issues. Their "control" obviously doesn't work:

Be it parking cars or using computers, instant gratification is the name of the game. People want what they want. They want it right now. And, they will take the path of least resistance - and violate your policies in the process to get it - especially when enforcement is weak like in the picture above.  

Good lesson for IT and information security leaders. Lots of room for improvement in this area.

Friday, March 31, 2017

Monday, March 13, 2017

Web and mobile application security vulnerability and penetration testing resources

Application security is no doubt one of the most important aspects of a security program. Here are some new pieces I've written that can help keep your web and mobile app vulnerabilities in check and your application security program on the right special attention to the last one regarding security assessments and reality:

Keeping your Web applications in check with HIPAA compliance
Mobile app security risks could cost you millions
Common oversights in mobile app security
How to stay ahead of the curve in application security
Protecting Web applications with network controls - Is it effective?
Secure coding job interview questions
Ignore these common mobile app security risks at your own peril
Why Security Assessments are Often not a True Reflection of Reality

And, in case you missed the RSA conference this year, here are some pieces that I wrote to recap the show:
Top stories coming out of the 2017 RSA Conference worth paying attention to
What you need to know about the 2017 RSA Conference
RSA Conference tips for CISOs – From 10 years ago to today
IoT at RSA: A New Focus on Old Problems

Be sure to check out my other information security resources on my website and follow me on Twitter @kevinbeaver.


Friday, March 3, 2017

Email phishing services: Just what you need to know to start mastering the task

Got phished? Of course you have...whether you know it or not! 

As with penetration and vulnerability testing and any other form of security assessment, you need to be performing email phishing tests on your users – all of them, including executive management – on a periodic and consistent basis. I'm doing more and more of this work and the results that I'm finding are the point that all other security testing could be stopped and existing security technologies could be eliminated unless and until this situation is under control. I'm finding these gaping holes in IT and security programs not because I'm smart...I just use good tools and know what to do/say beyond traditional email phishing testing - which, by the way, stinks out loud in most organizations and serves as a mere checkbox item.

I'm not going to give away all of my secrets - that's what my independent email phishing consulting services are for. But I will share with you some insight and tips that you're probably not going to find elsewhere or that might require some painstaking "experience" to learn otherwise. Here you go:

Be sure to check out to all of my other information security resources on my website when you get a chance. Cheers!

Monday, February 6, 2017

Getting to know your network with Managed Switch Port Mapping Tool

In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:
  • documentation
  • inventory
  • configuration standards
  • logging and alerting outside of basic resource monitoring
What this means – and what it can easily lead to – is incidents and subsequent breaches that may or may not be detected. These gaps combined with today's network complexities are virtually guaranteed to create unnecessary business risks.

In the spirit of having good tools to make your job easier, Northwest Performance Software has a program called Managed Switch Port Mapping Tool that can help put you on the right track in terms of getting to know your network environment, improving your visibility, and managing your ongoing changes. It's a tool that I have used off and on for years in conjunction with their popular toolset called NetScanTools Pro. The Managed Switch Port Mapping Tool is pretty straightforward – it simply uses SNMP to map out network switches which can provide a ton of information about entire network segments - information that often gets taken for granted. Here's a sample screenshot:

We work in a world where vendors are pushing SIEM, CASB, and Next-Gen Whatevers while, at the same time, we don't even have the network and security basics down pat. We're too busy spending time and money on the latest and greatest technologies when we need to just go back and do more to get a grasp on the core essentials of the network. Once that has been achieved, then – and only then – does it make sense to buy into what we're being sold. Just be careful, because such proposals may not always be in your best interest!

Kirk Thomas at Northwest Performance Software has been creating these network tools for a couple of decades now. I first learned about NetScanTools back in the mid-1990s at Novell's BrainShare conference (remember the awesome OS called NetWare!?). Anyway, if you're looking to get a better grasp on your network while, at the same time, improving your overall security posture, check out these tools. They'll only serve to make you look better. If you're like me, you can use a dose of that every now and then!

Thursday, January 19, 2017

Children's Hospital Los Angeles breach reminds us that HIPAA means nothing if you ignore its requirements

Back in 2007 I wrote a blog post on what's it going to take to encrypt laptop hard drives. After seeing this recent story about Children's Hospital Los Angeles, I can't help but shake my head.
The 0 comments on this article says a lot as society is becoming immune to these breaches...I think I've heard it called breach fatigue - it's not unlike presidential politics as of late!
In 2007, these decisions were bad enough...Like weak passwords, unencrypted laptops - especially if they're known to have PHI or PII - are simply inexcusable knowing what we now know in 2017. Doctors are smarter than that.

If anything - like all other lost/stolen laptops with sensitive information that have been regulated by things such as HIPAA for 12+ years - it shows that government and industry laws can't force people to make good decisions. Furthermore, "smart" people in positions of power running businesses don't know as much about security as they think they do and aren't as immune to security gaffes as they think they are.