Tuesday, October 20, 2015

Don't give others power over you...

Sure, people regularly irritate us all.  Each of us has at least one person who we could call our "thorn in the flesh."  That's life, and it is part of all of life.  But what I've learned over the years is that changing my behavior because of another persons behavior has never served me well.  That's because if I do I have given that person power over me.

An simple example of this concept is being irritated by an action of another driver on the road.  We often get angry, maybe shout, and all the while the other driver just simply moves along completely ignorant of our disdain. But our blood pressure has risen and our mood affected. It's kind of a waste.

While this concept applies to all aspects of life, I will focus on folks who live and work in IT, since it's where I spend the most of my time.

I'm continually amazed at how many people stunt their careers by choosing not to work with others simply because people irritate them so much.  I've seen promising IT folks become as bad of an HR burden as those that they dislike, because they are so heavily affected by the behavior of others.

I know this from experience.  I've had events in my career where I've tried to aggressively make a statement regarding someone's behavior, or gone off on someone just to prove my point.  In each case, I was the one who ended up paying for it, and ultimately they were not worth it.

I've seen it in IT circles over and over again.  Someone's behavior, speech, or what they outwardly represent so annoys someone that they often become like that person. A great example of this was a coworker some years ago that had tremendous potential for leadership.  He was and is an extremely talented individual.  Yet this person let everyone's behavior bother him so much that he himself became uncooperative, difficult to deal with, and anything but a team player. Nobody wanted to deal with him as a result.

Here's what is interesting, and it's true over and over again: His behavior did not in any way change the behavior of those who annoyed him.  Instead, the behavior of others changed him.  And for the period of time he was employed there, it hurt his internal career opportunities significantly.  As a result of his reactions, nobody wanted to deal with him. In essence, he had given those people power over him, and it hurt his career and his life at that time.

Fortunately, this individual eventually grew through this.  He learned that by giving people that much power over him that he was only hurting himself, not doing what is best for him.  He has since gone on to be quite successful elsewhere in the industry. 

Since then, I've had the fortunate opportunity to counsel many with these thoughts, and hopefully have been able to help them.  While individuals who work for a company are there to serve that company, I tell them that in order to do that well, they must also serve themselves, and one of the ways to do that is by being as free as possible from the negative power of others.  Think of it as a game: Even though this mostly isn't true, visualize that people that are irritating you are doing everything they can to give themselves power over you. And if you let them do that and it affects your behavior, they win.  In turn, if you focus on serving yourself, doing what is best for you and your career and not let those people bring you down into their "trap", then you win.

It's a game we all have to play all of our lives.  Whether it's a co-worker, a boss, a politician, these folks will (mostly unintentionally) "try" to control us.  And we have to constantly fight that control.  We can't surrender that power to them.

The same principle, by the way, applies to forgiveness.  If we can't forgive, ultimately we are the ones that are damaged.

For me personally, my life goal is to become truly free.  Free from fear, free from the power of others, freely forgiving, completely letting go.  This is a huge part of this goal, and by writing this I am in no way saying I've mastered it.

There's an old saying, "Don't own what you don't control."  While I'm not endorsing the enabling of behavior, if you can't change it positively or have a positive influence, don't let it own you.  The most powerful thing you can do to a person is ignore them.  While I'm not saying that's easy to do with co-workers, the principle that applies is to do everything you can to "take the high road" and try your best to not give them power over you.

Saturday, July 18, 2015

Drive your computer using your valet key

A long time ago in a galaxy far, far away, there was me, pre-CSO, doing lots of vulnerability scanning and reporting.  A big part of that was (and still is) helping our many businesses prioritize the patching of these vulnerabilities in order to protect their most important data.

I would examine system vulnerabilities and focus primarily on the ones that were externally exploitable (called "level 5 vulnerabilities", the most severe in our vulnerability management software).  Important, of course, because allowing an attacker into a system easily isn't a good thing.  Other vulnerabilities, including "local privilege escalation vulnerabilities" -- vulnerabilities that allow someone who is already on a computer to use an exploit to escalate their privileges to a higher level, such as "Administrator" -- were a lower priority.  Why?  Because I didn't realize how important these vulnerabilities are.

In the years following, I have learned penetration testing.  I've had the opportunity to participate in many "capture the flag" exercises, including SANS NetWars Continuous, SANS Holiday Hack Challenges, exploitable virtual machines and online capture the flag games.  Man, I've learned a bunch.  And I continue to have many opportunities to apply this learning in my daily work.

One of the important things I've learned is that successful penetration testing relies heavily on "local privilege escalation."  I often gained access to an account or computer but did not have the privileges necessary to access the real gold, such as password hashes, domain credentials, databases, etc. ("flags"). It finally hit me that local privilege escalation vulnerabilities ROCK!  A simple software exploit got me all the privileges I needed.  From an impact perspective, they are about as dangerous as external vulnerabilities since they allow an attacker much easier access to the crown jewels of an enterprise.

Many (if not most) users already make this job easy for an attacker.  They do their daily web browsing or email reading using an account that either has full administrative access to their computer, or worse yet, full access to business information that has great value.  Those who "drive their daily computer use" using an account that they also use to administer their servers and services should be very afraid.  Most of the systems we see compromised have been when the user is browsing the web, downloading software, clicking on email links or opening email attachments.  Often times the attacker is given access to the computer with the same level of privileges as the victim user.  If the user has high-level privileges already? As I've often stated with joy while doing pen testing, "we have WINNER!" :)  It's like landing a nice mountain trout on your first fly.

Since then, as part of my regular live awareness courses I talk about this particular variation of "least privilege."  Using real attack demonstrations I try to show how much easier it is for an attacker to steal the good stuff from users who insist on "convenience" at the expense of security.  For this year's training, the best mental illustration I've been able to come up with is the concept of a valet key.

A valet key is a key for your car that is different from your normal car key.  Valet keys usually can unlock the driver's side door and start the car, but the can't unlock the trunk or the glove box. This key is normally used when someone else operates your vehicle, such as a valet parking attendant. They aren't perfect (they don't prevent a vehicle from being stolen), but they do make it harder for someone who has the key to access your valuables in the trunk or your glove box.

Using this example, this year's awareness training emphasizes "driving your day-to-day computer use using your valet key."  That "key" is your account, in this case.  If an attacker compromises that key, it can be much harder for them to access your "valuables". 

How does one drive their day-to-day computer use using a valet key?  By using an account that doesn't have local administrative privileges.  By using a separate, higher privileged account for accessing valuable information or for managing servers and services.  Or even by ensuring that in order to use their higher privileges, two factor authentication is required.  And not using their "higher privileged key" for anything other than what it is for.

Sure, it's an inconvenience if you need to fish for your "higher privileged key" when you need to access your valuables, or plug it in each time you need to do something that has greater importance, like installing software.  But along with the importance of keeping your computers patched and protected from those awesome local privilege escalation exploits, driving your computer with your valet key will make it tougher for the bad guys to succeed.

Sunday, June 28, 2015

My Impressions of SANS NetWars Continuous

From the SANS NetWars Continuous website, https://www.sans.org/netwars/continuous :

"SANS' NetWars Continuous Online Range uses the gamification of IT Security to advance your most vital InfoSec skills. To build your skills and keep them from getting rusty, you need an environment where you can apply your knowledge to solving real-world infosec issues to stay sharp. That's what NetWars Continuous is all about. Over the course of 4 months and 5 levels, you can master real-world tactics and techniques in a safe learning environment."

Having just about completed SANS NetWars Continuous, I wanted to share my impressions on it and my experience working through it.  Obviously, I will share what I can without giving away any hints or details that might ruin it for others who will participate in the future. :)

First, let me say this: I am not a pentester.  Nor am I a blackhat.  I don't spend many hours of my days hacking into other people's networks.  What I've learned I've learned through self-training, SANS courses, with great instruction by people like Ed Skoudis, Seth Minisar, Dave Shackleford, Jeremy Druin, and others like them.  I do hack some as part of my job and definitely enjoy it, but by NO MEANS am I at the level of these guys or those who do this kind of thing everyday as their profession.

I signed up for NetWars continuous after taking SEC542 (Web Application Testing and Ethical Hacking) in New Orleans from Seth.  I thought, why not give it a go?  It has been fun and severely educational.  While live NetWars competition is available at SANS conferences, NetWars continuous provides much more time for someone like me to learn a whole lot more.

Ed Skoudis and his team have done a great job of creating a challenging CTF game that is stable and repeatable.  That isn't easy to do.  It's consistent in that things work the way they should and you don't have to worry about getting "cheated" by a technical glitch or an unseen bug.  They also make it fun in the usual Ed Skoudis way, by including a theme and characters from that theme as a backdrop for the scenario.

My 4 months is over.  Here's a brief overview of my experience.

NetWars is NOT just about offense.  That is made clear immediately in levels 1 and 2, where you are provided with a Linux image to work on.  As someone who has been actively defending for years and is an old Linux guy, levels 1 and 2 were both interesting and pretty straight forward. Correctly answering online questions is the way to earn points in levels 1 through 4, while taking as few hints as possible.  You are allowed up to 3 hints per question, but taking them all not only lowers your ranking in a tie situation, it also (for me) kinda defeats what I wanted, which was to force my own learning and education.  I tried my best to take as few hints as possible, and if I wasn't sure about something I would hit up the Interwebs first.  Often after starting work on a question I would take the first hint just to make sure I was "barking up the right tree".  I was surprised and stoked that I was able to make it to level 5 while taking only 23 hints, and only needed all 3 hints for one particularly grueling question, which took me an entire week to answer! (more below).

They also show you all 3 hints after you have successfully answered a question.  On one scenario, I realized I was able to complete it in a different manner than what the hints showed afterwards, and I was kinda proud of myself for that one. ;)

The variety of scenarios and questions stretch you, as they cover almost all aspects of offense, defense, forensics, intrusion detection, etc.  I never found any of it boring or repetitive.  The challenges kept stacking up.

Level 3 introduces you to the online challenge by placing you in a company's DMZ where you have to attack and infiltrate systems in a variety of manners.  This is where I really started to have to stretch my mind a bit.  It includes network and web application pentesting in this level.  Having just finished SEC542, I really enjoyed this level.

Level 4 ups the ante by giving you the opportunity to break into the internal corporate network.  It includes social engineering, which I think is fantastic.  This level took me awhile.  One particular question involving encryption took me about a week to research, learn and try before I finally got it.  It was a bruiser. ;)

When I started NetWars continuous I never even dreamed of making it to level 5.  I was surprised and stoked that I did (and kinda scared too! ;)  I wanted to complete all the questions in the previous levels so that I had as many points as possible, as I wasn't sure how well I would do from there.  After finishing off, I joined a level 5 game.

Level 5 is interesting in that it is live offense and defense.  You compete against others in the game, defending the "castle" you are given while performing offense against theirs, with the goal of uptime for your castle's services while placing your "flag" in the services of as many other castles as you can.

The other thing that is interesting about level 5 is that it is played in games that last one week.  Each Monday a new game starts, and you join it and move on.  You can play as many games as you like as long as you have time left in NetWars continuous. I found this to be a great thing, because it honed my approach.  Having about 5 weeks left, I decided to start the first game I participated in by just "watching" what happened.  Locking down my castle as much as I knew how (a couple of the applications I had to defend were new to me), I setup a packet capture and leaned back.  My castle was compromised pretty quickly, but I had the evidence of exactly what was done.  I used those packet captures to lock my castle down further, as well as learn from some of the better attackers their techniques and put them in my bag of offense for use in the next game against others.  After 2 weeks of this, my castle finally appeared to be pretty solid.

That having been said, offense came slowly, because, well, I'm not as good, and I ended up not having a lot of time during those weeks to watch for newcomers. And there remained some very good offensive players (one in particular who had taken 0 hints throughout) that had more time, jumped all over the newcomers almost immediately, and made it difficult for others to compromise the boxes they had already pwned.  But I did manage some fun pwnage. :)

It has been a fun and very satisfying experience for me.  It looks like I'll still finish with a spot in the top 10% of finishers, which for me is quite surprising yet makes me happy... ;))

So, if you are thinking about participating in NetWars Continuous, do it!!  It's not cheap, but it's worth every penny, and you can get a discount if you sign up for it when you register for a SANS course.  I paid for it out-of-pocket as a gift to my own education, and I can say sincerely that it was definitely worthwhile.  Since much of my job is making this very same stuff educational and entertaining for end-users, I have a lot more material to talk about.  Thank you Ed Skoudis and SANS!

P.S.: Others to thank that I know are part of NetWars, and forgive me if I've left someone out: Daniel Pendolino, Tom Hessman, Josh Wright, Jeff McJunkin, Tim Medin...THANKS!!!

Saturday, June 27, 2015

My tribute to 2002

From their website, http://www.2002music.com :

“2002 specializes in music with classically tinged melodies, dreamy flutes, crystalline piano, tender strings, celestial choirs, harp and acoustic guitar. This award-winning, progressive new age band has placed 11 albums on the Billboard Charts and made the list of top new age artists in a Billboard Magazine “Year in Review” issue alongside Yanni, Mannheim Steamroller, Jim Brickman, George Winston and Enya. Their ever-evolving sound encompasses a wide range of genres – from wistful ambient soundscapes all the way to light progressive rock.”

This is something I've wanted to write for many years.

I was first exposed to the music of 2002 back in the late 1990s.  I was in a spa where they were playing the CD “Land of Forever”.  Something special happened within me as I listened to their dreamy music that sounded like what an angel’s choir might sound like.  As the song “Heavenly Cities” was playing, I spoke out loud, “I have got to buy this CD!”  My life’s musical experience has never been the same since that day.

Randy and Pamela have been making music for some time, most of it in their own personal studio.  They seem to have the uncanny ability to capture spiritual depth in their music like nothing else I’ve heard before.  Not only is it truly peaceful music, it also plays on the strings of the soul.  It paints a wonderful picture of the majesty of this universe and this life and what an incredible gift they are.  I can say without question that the music of 2002 is among the most spiritual music I have ever heard.

Here’s an example of why 2002’s music is so special to me.  I spend as much time as I can in the high Sierra Nevada Mountains in California.  I find the Sierra to be one of the most majestic places I’ve ever been, most especially Yosemite and the Eastern slopes of the mountain range.  Whether it’s the snow, the granite monuments, the rivers and streams, the afternoon thunderstorms over 13,000 foot peaks, or the wildlife that calls it home, for me it is truly a special place.  I liken it to “God’s living room”.  I am a fly fisherman, and I experience tremendous enjoyment fishing the streams of the high and eastern Sierras.  As a catch-and-release fisherman, I also find myself enjoying a surprising connection to the creatures that I get to "meet" in the water.   It is one of my favorite places of spiritual retreat.

Others do visit these places as well, and I am often surprised by the music they bring with them.  It is sometimes music that seems so out-of-place with the majesty of the environment they are in, music that (it seems to me) doesn’t allow them to connect with the beauty they are experiencing.  For me, the music of 2002 brings these magnificent places to life!  That is why I encourage others to listen.  It definitely enhances my spiritual connection to the beauty and majesty all around me (and even at home).  

I often hope that Randy, Pamela and Sarah have had or will have the opportunity to visit this wonderful place.

While I own all of their albums, my favorite is “Wings II - Return to Freedom”.  You know when they say "If you could only take one CD with you?"  Well, that's the oneIt’s almost always playing in my ear buds when I’m on the river.  Other favorites include “The Emerald Way”, “Deep Still Blue”, “This Moment Now” and “Believe”.  But I honestly enjoy them all.  The addition of their daughter Sarah to their work has produced one of their best CDs ever, “Trail of Dreams”.  She is really fantastic and the perfect addition to their work. I so look forward to what they will come up with next.

So, I want to say thank you, Randy, Pamela and Sarah for your amazing talents and your continued gifts to me.  I am truly grateful and will continue to enjoy your music wherever I am.