On CryptoLocker, Ransomware, and Security Fundamentals

I’m very late to the party, and not fashionably so. Much of the ransomware discussion has flared and faded after the Hollywood Presbyterian Medical Center story hit the feeds. Last week at work, a call went out for an executive brief on CryptoLocker and ransomware in general, and I was buried in a client deliverable and the chance passed me by. Unfortunately, my brain doesn’t let things go very well, and during quiet moments it keeps coming back to how I’d approach the question of how organizations can prepare for these sorts of threats. The thought I keep coming back to is this:

CryptoLocker variants hit IT departments in the fundamentals. If your practices around backups/restores, least-privilege, web filtering, malware defenses, and user training are weak, it will expose them. While there are excellent products and services that can help with any of these things, there is no replacement for doing the fundamentals well. 

It’s a lot of work to get these fundamentals drilled in to the point they’re second nature. Backups seem simple but there’s a lot of time and attention needed to make sure you can restore what you need, when you need it, and in a reasonable amount of time. One-off tests restoring a single file every month don’t quite cut it. You need to understand what and where all of the critical data is, then map out comprehensive tests that confirm you can get it back. Also, those backups need to be offline in such a way that replication, either good or bad, cannot harm what you intend to retain. When you can do that at-will, the idea of someone locking up or deleting all your data is much less scary.

Least-privilege is another thing that sounds easy but takes even more time and attention. If you’re a large organization that’s never done a Role-Based Access initiative, you may not know what each person needs to access in order to do their job. For new access, many places take the “it’s working now, let’s just copy it” approach. So if Mike leaves the company, you hire someone with similar skills for what you think Mike did, and you tell IT to make the new person’s account “just like Mike’s.”  The problem arises in the fact that Mike grew in his responsibilities while he worked for you, so he had a bunch of access rights that he held onto so he could backup his old teammates. Mike’s great, we love Mike, and we’re gonna miss him, but he’s got a lot of cruft. So when you copy his rights to a new person, that person has access to a lot more things than they need. It doesn’t happen just once, it happens all the time and for years at a time, and these things build. Superfluous rights then become the devil’s playground.

In the case of web filtering and malware defenses, you setup browser filtering so users can’t stumble into known malicious territory, and you install various antivirus/anti-malware solutions. You’re not only watching what’s coming into your organization, but you’re looking at the traffic that’s leaving and making sure none of it contains credit card strings, social security numbers, or other key data you collect. Because the attackers will likely use encryption to hide the traffic, you should be watching and possibly decrypting that traffic, and treating confidential browsing data responsibly. If you’re doing it right, you’ve tuned the false positive rate down far enough that people can get their jobs done but it gets your attention immediately if something’s wrong. Again, tuning that solution takes focus by your IT staff, and it’s not a one-time effort.

The last tier of your defense is one that’s often maligned, overlooked, or underrated: User Training. You should train your staff to understand the basics of the threats that are out there, and how to act when they detect something that’s not quite right. You hire competent professionals with good critical thinking skills, you should absolutely use them to defend your organization. Building good security habits takes time and effort to instill as part of your culture, but it is imperative to maintaining a healthy defense.

And in looking at all of these fundamental practices from an executive perspective, these things are expensive in work hours and expertise. It may seem like it’s just cheaper to pay the ransom. The problem with that mindset is that it only solves the problem as it exists today. $17,000 to keep a hospital running and save patient lives seems reasonable, and many of us might make that same trade if we had to make that decision. But these equations are going to change. The attackers will get bolder, the ransom demands will increase, or the type of threat will increase either in severity or scope. When the stakes change, you need  have more than one option available to you.

The beautiful thing about taking the time to do security fundamentals right is that it will help you against more than just ransomware. When these practices and habits are ingrained in your operations, you significantly decrease your exposure to a myriad of threats as they exist today and in the foreseeable future. The path to good security travels right through efficient operation, and empowers and enlightens your organization. You shouldn’t chase good security to avoid punishment, you do it because it pushes aside the noise and lets everyone focus on bigger and better things.

Note:  I’ve listed only a few security controls for the sake of brevity (too late?). For a more comprehensive list, the CIS Top 20 Critical Security Controls is an excellent framework to approach a better security foundation. 

Posted in Tech Stuff | 1 Comment

Quitting the “hey, where’re you at?” game

Just a quick one:

Awhile back I was looking back at the texts between me and my wife, and I realized that a good chunk of the non-mushy ones were just “hey, where are you?” or “what’s your ETA?”  It also occurred to me that most of these occurred when either of us were driving by ourselves.  This is a problem, and I like to fix problems.

Texting and driving is dumb, but the temptation to just fire off a quick “be there in 10” or similar message is hard to resist at times.  After talking to Maggie for awhile about it, we decided to do two things:  stop texting the other when we know they’re driving, and enable “Find My Friends” on our phones to cut that entire “where you at?” conversation out.

The Find My Friends thing is a security concern and it makes me twitchy about information leakage.  With that said, I made the tradeoff and it’s been incredibly handy and got rid of a huge life-safety issue, so I’m happy with it.  If a lot of your conversations revolve around querying the location and ETA of a loved one, I’d highly recommend looking into either Find My Friends (iPhone) or Glympse. (iPhone/Android)

 

Posted in Friends and Family, Miscellaneous Ramblings and Rants, Tech Stuff | Comments Off on Quitting the “hey, where’re you at?” game

Thoughts on the CISSP

I passed the CISSP exam on 11/17 and I figured while it was fresh I’d record a few observations about the studying/testing process.

Why the CISSP

I am applying for a few jobs that either strongly encourage or specifically require the CISSP, so that’s one reason. The other is more complex. Over the 18 years I’ve been in IT and working with security, I’ve read a lot and taught myself a lot. It’s been a great ride and there’s no substitute for learning the fundamentals and practicing them day in and day out. With that said, for every given concept I’ve got 10 different names and number of conflicting best practices to go along with them. I wanted a standard dictionary, not necessarily to always follow, but at least to be able to reference it. I wanted to have roughly the same vocabulary as someone who didn’t take the same path I did, and the CISSP provided that standardized platform.

Book vs. CBT

I chose to buy the paper version of the  Official Study Guide from Wiley/Sybex on a recommendation from a friend who is also studying for the exam. I knew it was going to be a lot of memorization, and at 1000 pages of material it was going to take me awhile. It’s the first standardized test I’d taken in over 8 years, so I also knew it was going to require focus and self-discipline. So I bought the book so that I could get away from the computer, the ipad, the TV, and pretty much every other source of distraction.

I looked into a test prep course, but given I’m footing the bill myself I didn’t have $3500 to throw at a weeklong class. With that said, the guide does come with online access to flash cards and practice exams, which I’ll touch on later.

Pacing

I started studying on 10/12 and scheduled my exam for 11/17, which gave me 36 days of prep. With 21 chapters to cover, that gave me one chapter a day to cover plus a self-quiz. The quiz at the end of each chapter not only reinforces the material, it also gets you ready for the specific syntax and nuances of the exam questions. More than a few times I would find myself arguing with the book over how one answer COULD BE more correct and how I’d run across specific situations that ran contrary to their BEST answer. I got that out of my system long before the exam, and learned to turn off that part of my brain and focus on ISC2’s way of thinking.  That was an invaluable skill I learned in studying for the MCSE, and it paid off with the CISSP exam as well.

There were days where everything clicked and I found myself nodding along with the reading perfectly. There were other days where I was either tired, stressed, or just couldn’t lock in on the material and retain anything. Initially 36 prep days sounded like it was going to be fairly easy, but the pacing ended up pretty close. I finished the reading with about 5 days to go and began taking the sample tests. This was much less than ideal, but it worked out for me, albeit I was feeling a lot of pressure for those 5 days. If you can pace yourself to 50% reading time and 50% exam prep, that’s where you want to be.

Pre-Assessment and Sample Tests

The book comes with a pre-assessment test which is 40 questions (actual exam is 250) and covers a good deal of the material. I took it prior to reading any of the book and got an 80%. I knew that 70% was a minimum passing grade, and that didn’t give me a ton of comfort, but at the very least I knew my work experience had contributed to a good deal of the material that was going to be covered. My goal was to hit somewhere between 90-95% on the practice exams after studying and reviewing the material. (Spoiler: I did not hit my goal.)

Each practice exam is 250 questions, and Wiley/Sybex provide 4 practice exams on their site. I was somewhere in the neighborhood of 30 seconds per question on average, which meant each practice test took just over 2 hours of focus time. The actual exam took me roughly 3.5 hours.

The wording of the questions on the practice exams were incredibly frustrating.  There were times when I stood up and paced, got angry with the test designers, and cursed the entire certification as useless. To make matters worse, once you submitted a question you could not return to it (you could go back and forwards in the actual exam).  While that was harsh, it did force me to focus and didn’t allow me to glean hints from later questions. With that said, I would have preferred if the practice tests more accurately simulated the actual exam experience.

During one practice exam my Comcast connection dropped about 1.5 hours in. I lost that session and could not return to it upon logging back in. From then on I copied and pasted the URL into a text file and found it had a session ID token in it, and I used that to get back to the exam if it timed out.

Upon finishing the practice exam, you are given a correct/wrong rating and an overall percentage. You can go back and review either all answers or you can click on individual question numbers, but there is no function to review all incorrect answers or review all marked questions. In short, they didn’t spend a lot of coding time on the practice exams. I learned to just be grateful they came with the book and take them for what they were.

I developed my own marking/scoring method which helped me a bit, but your mileage may vary. I used the “mark this question” option to mark the ones I had to make semi-blind guesses at. If I got those wrong, I tabulated those as “wrong guess” and then marked which chapter they came from. I also counted the unmarked wrong answers as “confident wrong” and noted whether I missed a nuance of the question or disagreed with what was correct. I spent a lot of time retraining my brain to those, and coming up with a dialogue or a pretend situation where their answer would be true. More than a few times on the actual exam I recalled those simulations, so I like that strategy for the “confident wrongs.”  I really would have appreciated if Sybex had referenced the chapter/page where a given question came from, but for $40 I guess you get what you get.

My overall practice test scores were 78%, 79%, 82%, and 80%.  I fell very short of my target of 90-95% and did not have a lot of confidence going into the actual exam.  I considered rescheduling, but there were a few job interviews pending where I needed to provide proof that I’d passed, so I went for it.

Exam Day

I took the exam at the Pearson Vue center in downtown Chicago, right by Union Station. The test was at 8am, and I planned on getting there by 7am.  I needed to take my passport and drivers license, and I also brought along my CISSP book, a few snack bars, and a bottle of water.  No Apple Watches allowed, so I swapped in an old wristwatch so I could keep track of time.

I spent the hour on the train reading the Exam Essentials at the end of each chapter, and reviewed a few of my mnemonics.  OSI Model: All Presidents Since Truman Never Did Pot. Got the jitters, got over them, focused on what needed to be done. Got to Union Station and had a quick breakfast sandwich and a large coffee.

Upon getting to the exam center a few things became clear. One thing was that I wasn’t going to be able to take anything in with me to the exam. No passport, no wallet, no watch, no sweatshirt, no snacks, no water, no nothing. I’d anticipated some of this, but I really wasn’t keen on leaving the passport in a locker. The thought of no snacks for 6 hours also seemed like I was going go be hurting at hour 4. I figured if I started to get light-headed I’d see if I could talk them into it, but I turned out not to need it.

Another oddity was probably due to my lack of having done this for many years. I’d assumed because the scheduling was spaced weeks apart that everyone taking the CISSP was going to show up at the same time and we’d all start the exam together, old-school classroom style. That was dumb. I was in a room with doctors and nurses in scrubs taking toxicology tests, EMT tests, and all sorts of other exams. I don’t think there were any CISSP exam takers in my room at all. Also, the test started whenever I was ready, so I started at 7:30 and didn’t have to wait until 8am.

I took the exam and got through about 120 of the 250 questions before taking a quick break. I walked away just to clear my head as I could tell I was starting to get a little fuzzy from decision fatigue and stress, so I grabbed some water and paced a bit just to get my blood moving again. Then I went back in and got to about 230, took another quick bio break and finished up the exam. I was able to go back and read over all of my answers, and I changed 2 or 3 answers from the first half, the rest I left alone.  First hunch is usually correct.

I knew there were 25 experimental questions that didn’t count and didn’t have to relate to the current material, and I knew I’d seen a few of those that came out of left field. I also knew I needed a 180/225 to pass, and that some questions would be weighted higher than others due to difficulty. I’d marked the questions I’d thrown a semi-blind guess at, and counted those. 30.  Ugh… 30? I went through those again and left almost all of them alone. Resisted the urge to throw up or cry, stifled thoughts of good job opportunities disappearing. Deep cleansing breath, click submit.

I didn’t have a lot of confidence I’d passed, but I hit submit a bunch of times and called the proctor. Saw that message saying “congratulations, you’ve completed the exam” and laughed at how sadisticly that was worded. No muppet arms yet. She submitted the exam with me and I took the long walk to the printer. I passed. No score given as per the rules, so I have no idea how close I was. Big sigh. Done.

Post Exam Low

I’d read on CCCure.org that a lot of people after taking the CISSP exam feel fairly depressed after taking it, regardless of pass or fail status. I definitely felt this, even while I read over the congratulation letter. I wondered why I wasn’t grinning from ear to ear. More than anything I think it has to do with the placement of the experimental questions in the material. As a psychology student from way back when, I get why they need to sprinkle those into the live material as a blind to the test subjects, but it still hurts. They want us to try as hard at those as they do at all of the legitimate questions, but mentally the pressure of not knowing which questions truly count was significant. I felt dumb after taking the test, even after knowing I’d passed.

If you’re low after the exam, the only advice I have is this: It’s not a measure of what you’re worth or your intelligence. It’s an estimation of your comprehension and retention of those particular study materials, and your ability to adapt your thinking to their particular perspective. I have years of successes in InfoSec and I still felt really dumb after that exam. Don’t fall prey to doubt.

Important Note:  After You Pass, HIC SVNT DRACONES

Because the CISSP is necessary for a few of the jobs I’m applying for, I felt the urge to immediately update my resume and LinkedIn profile.  Claiming the credential before it’s been awarded to you is fraudulent. There’s no accepted lingo you can put in writing for “I passed the CISSP exam, awaiting full certification” so just don’t. If you want to verbally tell your prospective employer that you’ve passed the exam and you’ll have the cert soon, that seems to acceptable as far as I can tell. Everything else that you’d want to put in writing seems to be forbidden. Resist temptation.

 

Posted in Tech Stuff | Comments Off on Thoughts on the CISSP

Mr. Radnitzer made me a better security admin

I was 9 years old and my third grade teacher was Mr. Radnitzer.  I’ve searched for his first name, but after 30-ish years those records are long gone.  I want to say his first name was Karl, but that’s a blind guess.  He looked like a Karl though.  He wasn’t impressed with my elevated reading level and vocabulary, he wanted to know why I was behind in math and all of my trying to talk my way out of it wasn’t going to fly.  I was lucky growing up, I think every teacher in every year had engaged me in some way and been tenacious in getting me to push where I was weak.   Mr. Radnitzer wasn’t content to just give me bad grades on incomplete homework, he’d make me stay after and sit with me, and make me talk through problems.  If that was all he’d done for me I’d be pretty lucky, but there’s one other thing I remember that forever changed how I approach pretty much everything.

That year was the year that I got introduced to the Scientific Method.  I think it was the simple exercise of picking a hypothesis about why a given thing happened, and then we’d talk through how you’d test it.  And we did that and it was cute and then we were done with it.  And in subsequent years other teachers put more emphasis on it and pushed us to approach things in that way.  But Mr. Radnitzer planted the seed.  I hadn’t realized it until much later in life, but all of that emphasis on approaching every new thing in a scientific way has made me successful not only as a systems and security admin, but in so many other areas of my life.

I was talking to a longtime friend about how we handled interviewing and hiring candidates for systems, security, database, or any other kind of admin.  We tested their technical skills, made sure that what they claimed on their resume was true, and that usually didn’t take that long.  But we both had a stringent requirement that the person had to have an “analytical mindset” and we we’d ask probing questions to try and get them to demonstrate it.  I’d put the candidate on shaky ground and see how they did.

“I’m aware you don’t have experience with this skill yet, but if someone told you that only VOIP wasn’t working between one site and another, but normal data was flowing through, what things would you do to approach the problem?”

I’d ask database admins this question, or OS admins who weren’t being hired for anything related to network or voice troubleshooting.  And you’d look for lots of things besides just the technical approach to the problem itself.

  • Was the candidate comfortable in what they knew and what they didn’t know, or would they attempt to attack the assertion that they didn’t know the given skill?  Would they claim expertise on a skill they hadn’t mastered yet?
  • When they approached the problem, would they immediately test the facts/constraints they were given?
  • Would the candidate ask if they had other help to pull from, either a coworker or a support contract to assist?
  • Did they ask to clarify the urgency of the problem and address the issue differently based on the urgency?

The problem didn’t have an answer, it didn’t really need one, it was a simulation to see how a given person approached the unknown.  We were looking for people who were not only comfortable but fascinated with the unknown, and had some experience approaching it in a way that gave them a good foothold as quickly as possible.   Those people, assuming they passed other socialization tests (i.e. not an asshole) and have demonstrated enough self-discipline to get themselves cleaned up and to work on time regularly, are the people you want alongside you when the defecate hits the oscillator.

As I’ve been looking back over my career and trying to figure out what I can bring to an InfoSec position, I realized that saying “I think on my feet” is only part of the equation.  I have a lifetime of observation, hypothesis, testing, and re-evaluation that defines how I look at and interact with the world.  And I owe it at least in part to my third grade teacher, Mr. Radnitzer.

 

 

Posted in Tech Stuff | Comments Off on Mr. Radnitzer made me a better security admin

Know thyself, or at least your network

As I’ve been shifting my focus towards information security, I’ve been thinking a lot about all of the different facets of securing a given network.  There’s a lot of moving parts even in relatively simple networks.  While the defender has to secure something on the order of 10,000 or sometimes many more items, an attacker usually only has to compromise a handful to be successful.  The percentages certainly don’t skew well in the favor of the defenders.  It’s enough to make you want to give up, except giving up usually doesn’t pay well and regret isn’t all that nutritious.

While we can’t build completely impenetrable networks, there’s a lot that can be done to detect and slow down would-be attackers that manage to get through,  While security vendors would have you believe their product is the One Thing that will cure all of your ills, the truth is that some of the most productive things are free, at least from a purchasing perspective.

All throughout my life I’ve loved realtime strategy games or dungeon crawlers, especially the ones that start you in a very small corner of the map where you see a smidgen of the world and the rest is dark.  I loved the challenge of carefully expanding that view; learning to never overreach but to keep pushing the boundaries until I filled all of the map. Looking back over 18 years of IT, I’m surprised it took me until about 10 years ago to start playing that game in my work life, but since then I have I’ve been able to make incredible leaps forward in broadening my understanding and skills.

All of it stems from this simple premise:  If you can’t draw it, you don’t understand it.  If you don’t understand it, you cannot defend it.  Both of them seem like common sense and I would have sneered at them before, but I realized I never pushed those agendas as hard as I should have.   I had my little corner of the world and I’d make diagrams of that, but the rest of it was someone else’s job or was off limits.  They got mad if I asked so I didn’t.  Then I was lucky to work with a group that turned that upside down, where the mindset was “it’s yours to defend, if you don’t understand it then ask.”

And so in between making everything work, keeping the business running, and soothing bruised egos and all of the other expectations of the IT life, I started making maps.  I ran into sections where I didn’t know how things worked, and some of the conversations went really well.  Some of them went like this from my side:

Yes I realize this is very hard to explain.

Yes, I understand you’re on fire right now.

Well then when do you expect to not be on fire?

And then what usually followed was a bunch of colorful four letter words and comments about my parentage.  What I learned from those was to lead with what I knew already, and then ask very specific questions.  So rather than saying “I don’t understand anything about how this app works, can you explain it?” I’d say “I know this app runs on Websphere, and I know eventually it pulls the data from Oracle.   Which server is it on and where’s the config file for which database it hits?” and I’d get my answers and keep filling in the map and they’d be happy I was out of their (burning) hair.

I realized I would have to make at least two types of maps, physical and logical.  The physical maps showed all the places where certain hardware or virtual servers were located and where the links were.  The logical maps showed the flow of information from a given use case into the environment from the start to the end of the given transaction.  And then I’d make hybrid maps that showed the use case and what physical nodes were touched along the way.

Somewhere along the way, the maps became necessity for more than just me.  The people who’d contributed to them who’d then looked them over and said, “yes, this is how it works, I don’t know why you chose to draw out all of this other stuff that I don’t care about, but my part is right at least” were now coming back to me and saying “hey, I need that map you drew for an upcoming change meeting”.  They were glad for the previously irrelevant stuff.   The hybrid maps became essential for audits, and discussing upgrades, and so on.   We started sewing the maps together.  I learned that big picture knowledge is infectious and it comes with a side of gratitude.

A neat bonus was that the types of decisions that we made had fundamentally changed as the maps got better.  We stopped talking about specific niche solutions and products that seemed cool, and started talking about physical and logical needs across environments.  And the overall feel was that none of this mapping exercise was rocket science, but with the greater understanding of our environment we could probably do rocket sciencey stuff.  It was incredibly empowering and in retrospect we should have done it much sooner.

And so you’ve read about 900 words of me saying “ask questions and make maps” and you’re probably thinking to yourself “seriously Jason, tell me more about how the sky is blue and water is wet!”   In sitting down to write this, I realized that what I’m saying isn’t profound, it’s mundane.  Mundane’s ok, it’s Latin for the ground or the earth.  If you don’t have maps of your environment that everyone contributes to, you’ve got very little common ground to stand on.

And so my goal of writing this is to reignite that drive to know every inch of your network, at both a physical and logical level.  With that knowledge, you’ll pick better tools and make better decisions.  The tools you pick will work better because you’ll implement them based on that knowledge, and you’ll have a better understanding of what you need and what you don’t.  You’ll set your tripwires where they’ll do the most good, and when the battle comes to you, at least you’ll have home field advantage.

N.B. It’s good to be proud of your work, and when you make maps there’s sometimes an urge to print and hang them on walls for everyone to see.  Combine that with someone standing next to it and having their picture taken, throw in a little social media, add a dash of high-megapixel cameraphones making that text possible to read, and you’ve got a really bad hack-me kit.  Be careful where you hang your maps.  

Posted in Tech Stuff | Comments Off on Know thyself, or at least your network