Protecting and Passing Along Digital Assets

I got asked to come add some technical advice to a longer seminar given to a retirement community associated with our church.  They were learning about estate planning, wills, and all of the other details that go with those planning to pass on their legacies.  They were missing a section on how to handle online accounts and digital assets, and asked me to speak for 20 minutes on that.

20 minutes to cover this broad of a topic was rough, but I liked the challenge.  I found that the format of the seminar was more of a “here’s a binder of things to review later, let’s introduce you to each of these things now” sort of thing.  I figured out that I wanted to cover 3 main things:  2FA, password managers, and backups, and looked for handouts that covered those things.  The SANS OUCH letters were written at the level I felt would resonate, and gave each of the participants multiple ways to subscribe and stay informed, so I ended up with those.  I created a few slides, came up with a brainstorming worksheet for getting all of your accounts into a password manager, and brushed up on removing the dreaded ‘Ums’ and ‘Uhs’ and other fillers from my vernacular.

The presentation went really well, lots of nodding heads and good laughs. I got applause and a sense that people felt empowered when they got up to leave.  Early on I used to teach these and everyone’s eyes were as wide as dinner plates, and the feeling was more of shock and fear. I considered those a failure on my part. People never make good decisions out of fear, so I changed my delivery and my goal, to push more for empowerment and “you know this stuff already,  it’s just new terminology” as a mindset.

Here’s the materials, including the handouts from SANS.  The transit from Keynote to PDF screwed up a few of the bullet spacings, but the content is all there.  Feel free to use all or parts of this as much as you like.

Protecting Digital Assets Password Managers – Ouch Online Assets Worksheet Backups-Ouch 2FA-Ouch

Posted in Tech Stuff | Comments Off on Protecting and Passing Along Digital Assets

On CryptoLocker, Ransomware, and Security Fundamentals

I’m very late to the party, and not fashionably so. Much of the ransomware discussion has flared and faded after the Hollywood Presbyterian Medical Center story hit the feeds. Last week at work, a call went out for an executive brief on CryptoLocker and ransomware in general, and I was buried in a client deliverable and the chance passed me by. Unfortunately, my brain doesn’t let things go very well, and during quiet moments it keeps coming back to how I’d approach the question of how organizations can prepare for these sorts of threats. The thought I keep coming back to is this:

CryptoLocker variants hit IT departments in the fundamentals. If your practices around backups/restores, least-privilege, web filtering, malware defenses, and user training are weak, it will expose them. While there are excellent products and services that can help with any of these things, there is no replacement for doing the fundamentals well. 

It’s a lot of work to get these fundamentals drilled in to the point they’re second nature. Backups seem simple but there’s a lot of time and attention needed to make sure you can restore what you need, when you need it, and in a reasonable amount of time. One-off tests restoring a single file every month don’t quite cut it. You need to understand what and where all of the critical data is, then map out comprehensive tests that confirm you can get it back. Also, those backups need to be offline in such a way that replication, either good or bad, cannot harm what you intend to retain. When you can do that at-will, the idea of someone locking up or deleting all your data is much less scary.

Least-privilege is another thing that sounds easy but takes even more time and attention. If you’re a large organization that’s never done a Role-Based Access initiative, you may not know what each person needs to access in order to do their job. For new access, many places take the “it’s working now, let’s just copy it” approach. So if Mike leaves the company, you hire someone with similar skills for what you think Mike did, and you tell IT to make the new person’s account “just like Mike’s.”  The problem arises in the fact that Mike grew in his responsibilities while he worked for you, so he had a bunch of access rights that he held onto so he could backup his old teammates. Mike’s great, we love Mike, and we’re gonna miss him, but he’s got a lot of cruft. So when you copy his rights to a new person, that person has access to a lot more things than they need. It doesn’t happen just once, it happens all the time and for years at a time, and these things build. Superfluous rights then become the devil’s playground.

In the case of web filtering and malware defenses, you setup browser filtering so users can’t stumble into known malicious territory, and you install various antivirus/anti-malware solutions. You’re not only watching what’s coming into your organization, but you’re looking at the traffic that’s leaving and making sure none of it contains credit card strings, social security numbers, or other key data you collect. Because the attackers will likely use encryption to hide the traffic, you should be watching and possibly decrypting that traffic, and treating confidential browsing data responsibly. If you’re doing it right, you’ve tuned the false positive rate down far enough that people can get their jobs done but it gets your attention immediately if something’s wrong. Again, tuning that solution takes focus by your IT staff, and it’s not a one-time effort.

The last tier of your defense is one that’s often maligned, overlooked, or underrated: User Training. You should train your staff to understand the basics of the threats that are out there, and how to act when they detect something that’s not quite right. You hire competent professionals with good critical thinking skills, you should absolutely use them to defend your organization. Building good security habits takes time and effort to instill as part of your culture, but it is imperative to maintaining a healthy defense.

And in looking at all of these fundamental practices from an executive perspective, these things are expensive in work hours and expertise. It may seem like it’s just cheaper to pay the ransom. The problem with that mindset is that it only solves the problem as it exists today. $17,000 to keep a hospital running and save patient lives seems reasonable, and many of us might make that same trade if we had to make that decision. But these equations are going to change. The attackers will get bolder, the ransom demands will increase, or the type of threat will increase either in severity or scope. When the stakes change, you need  have more than one option available to you.

The beautiful thing about taking the time to do security fundamentals right is that it will help you against more than just ransomware. When these practices and habits are ingrained in your operations, you significantly decrease your exposure to a myriad of threats as they exist today and in the foreseeable future. The path to good security travels right through efficient operation, and empowers and enlightens your organization. You shouldn’t chase good security to avoid punishment, you do it because it pushes aside the noise and lets everyone focus on bigger and better things.

Note:  I’ve listed only a few security controls for the sake of brevity (too late?). For a more comprehensive list, the CIS Top 20 Critical Security Controls is an excellent framework to approach a better security foundation. 

Posted in Tech Stuff | 1 Comment

Quitting the “hey, where’re you at?” game

Just a quick one:

Awhile back I was looking back at the texts between me and my wife, and I realized that a good chunk of the non-mushy ones were just “hey, where are you?” or “what’s your ETA?”  It also occurred to me that most of these occurred when either of us were driving by ourselves.  This is a problem, and I like to fix problems.

Texting and driving is dumb, but the temptation to just fire off a quick “be there in 10” or similar message is hard to resist at times.  After talking to Maggie for awhile about it, we decided to do two things:  stop texting the other when we know they’re driving, and enable “Find My Friends” on our phones to cut that entire “where you at?” conversation out.

The Find My Friends thing is a security concern and it makes me twitchy about information leakage.  With that said, I made the tradeoff and it’s been incredibly handy and got rid of a huge life-safety issue, so I’m happy with it.  If a lot of your conversations revolve around querying the location and ETA of a loved one, I’d highly recommend looking into either Find My Friends (iPhone) or Glympse. (iPhone/Android)

 

Posted in Friends and Family, Miscellaneous Ramblings and Rants, Tech Stuff | Comments Off on Quitting the “hey, where’re you at?” game

Mr. Radnitzer made me a better security admin

I was 9 years old and my third grade teacher was Mr. Radnitzer.  I’ve searched for his first name, but after 30-ish years those records are long gone.  I want to say his first name was Karl, but that’s a blind guess.  He looked like a Karl though.  He wasn’t impressed with my elevated reading level and vocabulary, he wanted to know why I was behind in math and all of my trying to talk my way out of it wasn’t going to fly.  I was lucky growing up, I think every teacher in every year had engaged me in some way and been tenacious in getting me to push where I was weak.   Mr. Radnitzer wasn’t content to just give me bad grades on incomplete homework, he’d make me stay after and sit with me, and make me talk through problems.  If that was all he’d done for me I’d be pretty lucky, but there’s one other thing I remember that forever changed how I approach pretty much everything.

That year was the year that I got introduced to the Scientific Method.  I think it was the simple exercise of picking a hypothesis about why a given thing happened, and then we’d talk through how you’d test it.  And we did that and it was cute and then we were done with it.  And in subsequent years other teachers put more emphasis on it and pushed us to approach things in that way.  But Mr. Radnitzer planted the seed.  I hadn’t realized it until much later in life, but all of that emphasis on approaching every new thing in a scientific way has made me successful not only as a systems and security admin, but in so many other areas of my life.

I was talking to a longtime friend about how we handled interviewing and hiring candidates for systems, security, database, or any other kind of admin.  We tested their technical skills, made sure that what they claimed on their resume was true, and that usually didn’t take that long.  But we both had a stringent requirement that the person had to have an “analytical mindset” and we we’d ask probing questions to try and get them to demonstrate it.  I’d put the candidate on shaky ground and see how they did.

“I’m aware you don’t have experience with this skill yet, but if someone told you that only VOIP wasn’t working between one site and another, but normal data was flowing through, what things would you do to approach the problem?”

I’d ask database admins this question, or OS admins who weren’t being hired for anything related to network or voice troubleshooting.  And you’d look for lots of things besides just the technical approach to the problem itself.

  • Was the candidate comfortable in what they knew and what they didn’t know, or would they attempt to attack the assertion that they didn’t know the given skill?  Would they claim expertise on a skill they hadn’t mastered yet?
  • When they approached the problem, would they immediately test the facts/constraints they were given?
  • Would the candidate ask if they had other help to pull from, either a coworker or a support contract to assist?
  • Did they ask to clarify the urgency of the problem and address the issue differently based on the urgency?

The problem didn’t have an answer, it didn’t really need one, it was a simulation to see how a given person approached the unknown.  We were looking for people who were not only comfortable but fascinated with the unknown, and had some experience approaching it in a way that gave them a good foothold as quickly as possible.   Those people, assuming they passed other socialization tests (i.e. not an asshole) and have demonstrated enough self-discipline to get themselves cleaned up and to work on time regularly, are the people you want alongside you when the defecate hits the oscillator.

As I’ve been looking back over my career and trying to figure out what I can bring to an InfoSec position, I realized that saying “I think on my feet” is only part of the equation.  I have a lifetime of observation, hypothesis, testing, and re-evaluation that defines how I look at and interact with the world.  And I owe it at least in part to my third grade teacher, Mr. Radnitzer.

 

 

Posted in Tech Stuff | Comments Off on Mr. Radnitzer made me a better security admin

Know thyself, or at least your network

As I’ve been shifting my focus towards information security, I’ve been thinking a lot about all of the different facets of securing a given network.  There’s a lot of moving parts even in relatively simple networks.  While the defender has to secure something on the order of 10,000 or sometimes many more items, an attacker usually only has to compromise a handful to be successful.  The percentages certainly don’t skew well in the favor of the defenders.  It’s enough to make you want to give up, except giving up usually doesn’t pay well and regret isn’t all that nutritious.

While we can’t build completely impenetrable networks, there’s a lot that can be done to detect and slow down would-be attackers that manage to get through,  While security vendors would have you believe their product is the One Thing that will cure all of your ills, the truth is that some of the most productive things are free, at least from a purchasing perspective.

All throughout my life I’ve loved realtime strategy games or dungeon crawlers, especially the ones that start you in a very small corner of the map where you see a smidgen of the world and the rest is dark.  I loved the challenge of carefully expanding that view; learning to never overreach but to keep pushing the boundaries until I filled all of the map. Looking back over 18 years of IT, I’m surprised it took me until about 10 years ago to start playing that game in my work life, but since then I have I’ve been able to make incredible leaps forward in broadening my understanding and skills.

All of it stems from this simple premise:  If you can’t draw it, you don’t understand it.  If you don’t understand it, you cannot defend it.  Both of them seem like common sense and I would have sneered at them before, but I realized I never pushed those agendas as hard as I should have.   I had my little corner of the world and I’d make diagrams of that, but the rest of it was someone else’s job or was off limits.  They got mad if I asked so I didn’t.  Then I was lucky to work with a group that turned that upside down, where the mindset was “it’s yours to defend, if you don’t understand it then ask.”

And so in between making everything work, keeping the business running, and soothing bruised egos and all of the other expectations of the IT life, I started making maps.  I ran into sections where I didn’t know how things worked, and some of the conversations went really well.  Some of them went like this from my side:

Yes I realize this is very hard to explain.

Yes, I understand you’re on fire right now.

Well then when do you expect to not be on fire?

And then what usually followed was a bunch of colorful four letter words and comments about my parentage.  What I learned from those was to lead with what I knew already, and then ask very specific questions.  So rather than saying “I don’t understand anything about how this app works, can you explain it?” I’d say “I know this app runs on Websphere, and I know eventually it pulls the data from Oracle.   Which server is it on and where’s the config file for which database it hits?” and I’d get my answers and keep filling in the map and they’d be happy I was out of their (burning) hair.

I realized I would have to make at least two types of maps, physical and logical.  The physical maps showed all the places where certain hardware or virtual servers were located and where the links were.  The logical maps showed the flow of information from a given use case into the environment from the start to the end of the given transaction.  And then I’d make hybrid maps that showed the use case and what physical nodes were touched along the way.

Somewhere along the way, the maps became necessity for more than just me.  The people who’d contributed to them who’d then looked them over and said, “yes, this is how it works, I don’t know why you chose to draw out all of this other stuff that I don’t care about, but my part is right at least” were now coming back to me and saying “hey, I need that map you drew for an upcoming change meeting”.  They were glad for the previously irrelevant stuff.   The hybrid maps became essential for audits, and discussing upgrades, and so on.   We started sewing the maps together.  I learned that big picture knowledge is infectious and it comes with a side of gratitude.

A neat bonus was that the types of decisions that we made had fundamentally changed as the maps got better.  We stopped talking about specific niche solutions and products that seemed cool, and started talking about physical and logical needs across environments.  And the overall feel was that none of this mapping exercise was rocket science, but with the greater understanding of our environment we could probably do rocket sciencey stuff.  It was incredibly empowering and in retrospect we should have done it much sooner.

And so you’ve read about 900 words of me saying “ask questions and make maps” and you’re probably thinking to yourself “seriously Jason, tell me more about how the sky is blue and water is wet!”   In sitting down to write this, I realized that what I’m saying isn’t profound, it’s mundane.  Mundane’s ok, it’s Latin for the ground or the earth.  If you don’t have maps of your environment that everyone contributes to, you’ve got very little common ground to stand on.

And so my goal of writing this is to reignite that drive to know every inch of your network, at both a physical and logical level.  With that knowledge, you’ll pick better tools and make better decisions.  The tools you pick will work better because you’ll implement them based on that knowledge, and you’ll have a better understanding of what you need and what you don’t.  You’ll set your tripwires where they’ll do the most good, and when the battle comes to you, at least you’ll have home field advantage.

N.B. It’s good to be proud of your work, and when you make maps there’s sometimes an urge to print and hang them on walls for everyone to see.  Combine that with someone standing next to it and having their picture taken, throw in a little social media, add a dash of high-megapixel cameraphones making that text possible to read, and you’ve got a really bad hack-me kit.  Be careful where you hang your maps.  

Posted in Tech Stuff | Comments Off on Know thyself, or at least your network