Silicon Shecky

Infosec Practitioner

Connect

Do well, not be “popular”

By Leave a Comment

I’ve had some things on my mind so this will turn into a rant or stream of consciousness. If you feel called out on this post, it happens. Hopefully this will help some others out there.

See, I’ve spent the last 15 years, as I moved from a Network Engineer to a Security Engineer, trying to fit in with the CyberSecurity/InfoSec crowd. I am proud to be part of the community, proud to be one of the organizers of the Burbsec meetups in the Chicago area. I love welcoming new people into the community, but I am not a leader. I don’t and will never be looked at as a thought leader, a well known speaker, or anything else other than Shecky.

It is not that my thoughts and ideas are bad, I just am not part of the popular big names. Yes I occasionally get a speaking slot at a conference here or there, and I love doing it, but I am 50 years old with a 5 year old son who I adore, so I don’t do a lot of travelling to distant conferences. I mostly stay within a 4-6 hour drive from the Chicago area. When I was younger I didn’t have the money to do travel, and the whole traveling consultant thing and I had problems as a local network/server/desktop person before I moved into security. Add on that my writing skills are the weakest part of me, and you have a recipe for being just another face in the crowd, which seems to surprise some people because I talk with the more well known people in this field so it is assumed that I am one of them.

I’m not though. I am your everyday person(pronouns for those that ask are he/him). I try to keep my main twitter posts security related, unlike many who use it for expressing their political/social thoughts. Note that I said my main posts as I will reply to others political and social issues posts. Also realize that these other people get followers strictly for the non-security posts that these people make. There is nothing wrong with that at all and I commend them for trying to make the world a better place by pointing out what they see wrong with it.

I’m not well know as I have never written a piece of software that people use, written some huge idea that people have run with or started/founded a company. I have not run a conference, although I did offer to help build one but was told I wasn’t needed for that level. Instead I just volunteer for it, and a few others. I enjoy documenting the conferences by officially taking pictures for them(I was a professional photographer for a while back in the 90’s). I enjoy helping others out. I see cooperation as a way to improve, well, everything including security.

I love public speaking, but as I said my writing skills and lack of any big revelations tend to get my talks turned down at the CFP level, and I do let others look at and help me edit my CFPs before I put them in. I know my weaknesses. Those rejections hurt and I take them hard and sometimes personal even though they are not. That comes from rejections and being looked down on throughout my life going back to childhood. Like many I was picked on growing up. Adults shunned my thoughts, and people my own age, I didn’t fit in well with most of them.

I feel bad that new people to our community get picked on, and trolled. It is not the right way to do things. You should be treated with respect no matter you gender(or lack of gender), skin tone, religion, age, sexual orientation, or anything else. Yes I do speak this as a Jewish White Male, so from a position of privilege. I do what I can to use that privilege to help others.

Yet, here I am, still going, still trying to post stuff that will help people, and I will keep doing it not matter how often I seem to get the urge to just give up. I fought hard to get where I am. When I got back into computers in ’97 I looked to the world of security. I worked as a break/fix guy, on the helpdesk, as a system admin, a network admin, a network engineer. I had times where I was out of work due to contracts or being screwed over. When I finally got my first official security gig in 2015, I felt it was just the beginning. I dreamed of becoming a big name, or at least speaking at conferences and eventually keynoting them. Instead, I’m just another cog in the engine who is respected enough to chat with and know some of the big names. , and you know what, that is fine. There are more people like myself out there, and we are the ones who have to take the big thoughts and make them into reality.

We just need to be treated with kindness and respect, especially when breaking in. It is tough enough to get that first security job, especially the way that I went about doing it with no degree. The gatekeepers are tough, but persistence works and eventually will pay off. So be part of the community. Talk to others, no matter how big a name they are. Ignore the trolls, cause even if they are right about something, they will say it in a condescending way. Finally help pull up others. With how the world is today, we can each use more people in our corner.

Are you sure it is the execs?

By Leave a Comment

Security is all the rage today. Supply Chain attacks, Ransomware, Data Exfiltration, it is all in the news pretty consistently. We as security practitioners have a tough job. We know there is no such thing as being 100% secure so we make our best effort at securing and detecting. We also realize that detection and reducing dwell time is huge, so we ask for more people, more tools, more money, and it seems that execs are listening. Reports show that security is high on execs minds. So if you are a small to medium business why can’t you detect better? We all know that there is a bottleneck somewhere, and I am becoming more and more convinced it is not at the higher levels. It is more a division of duties and departmental struggle.

If your company from a security and IT perspective is designed well, accounts have only as much privilege as they need. A person in security should not have Domain Admin rights as an example. A person in the security department also should not be in charge of configuring endpoints, but should be working with the other IT departments to deploy such technology. So if you want to configure and deploy say Sysmon, the security people should get everything set for deployment and then pass it to the proper department to deploy. Here is where a bottleneck can come in that we do not think of initially.

Using Sysmon and collection of the data from it as an example, since Sysmon is a quality, free and popular product, how are other IT departments possibly the bottleneck in deployment? We, as security engineers, should be able to pass a set of install packages and configurations to the IT team for them to deploy. They just need to deploy it, but wait. How swamped and understaffed is that IT department? Have they bought into the need to deploy this? Do they have time to test on their standard configurations? Then you need to think about what SIEM is the data going into? Who owns that product? Does it actually fall under Security’s budget, or is it under ITs and where under ITs? Is there going to be an increase in cost because of more data coming through (This is one spot where SIEMs fail us is in the pricing of ingestion)? Will this kill their budget? Is there going to be a fight over this that will leave IT less likely to work with us in the future? Who is going to support this new addition to the systems? Do they need training? What is the cost of training and how long will that last? Will it cut into time for their day to day job requirements? Is there a different, more business critical project going on that will cause this to be put on the back burner?

It is easy to point fingers and lay blame, but are security departments doing their due diligence on the whole situation, or are we creating yet another problem. Yes it gets frustrating to us when we know something we see as a simple, no-brainer can’t be implemented. Yes it does blind us when the tools that we got buy in from the execs on are stuck in limbo and not as effective as they could be. Are we though bringing the other teams to the table, just like we want to be brought to the table when they are bringing in/developing/deploying new technology, or is it do as I say not as I do?

Security is something we need buy in from all aspects of our organizations, not just the Executives. Are we sure that the bottleneck is not IT, or even us and how we treat others?

Solarwinds Sunburst: Haven’t We Been Here Before?

By Leave a Comment

Timing is not everything, it is the only thing. I really believe that and have for a good portion of my life. A little bit off, a little bit early or late and things do not happen, things can be missed, and who knows what the result would have been. How this relates to the title of this post is simple, the past tends to repeat itself and I currently am seeing that through a book that I am reading.

The book is called Sandworm by Andy Greenberg. It covers a Russian hacking group that has been attributed to NotPetya amongst other attacks on the Ukraine. We all know about NotPetya, remember how it crippled a shipping company called Maersk. All this happened a month after Wannacry hit. There are many similarities I am noticing as I watch those who are unravelling the Solarwinds Sunburst attack, and what has been revealed about how the Sandworm group operates, namely leading into the NotPetya attack. Surprisingly, I have not seen mention of this on twitter, or in any news reports/blog posts on the Sunburst attack.

Mr. Greenberg, in his book Sandworm had interview Amit Serper of CyberReason about his reverse engineering of NotPetya and subsequent investigation of the malware and attack. The short version is that it was a supply chain attack that used M.E. Doc’s own update server to install a compromised update. The NotPetya attack happened in June of 2017, but Mr. Serper found a webshell on those update servers going back to November 2015. So they were on the network for at least a year and a half before the attack.

Let us take a look at what has been revealed about Sunburst. It is a supply chain attack that used Solarwind’s own update servers to install a compromised update. Currently the information security world sees October 2019 (just over a year) as the latest that Solarwinds was compromised (while that timeframe is accepted right now, since the investigation is still going on I do not want to say that it is definitive). Now go back a paragraph and re-read what I learned about NotPetya. Sounds similar, doesn’t it?

I have not yet finished reading Sandworm, but other interesting tidbits that I read included Robert M. Lee of Dragos(among others) wanting to warn the ICS world about this type of attack due to the Ukraine blackout attacks which were also attributed to the Sandworm hacking group. It also revealed how little the U.S. Government did to warn about these types of attacks or this hacking group since it was the Ukraine that was targeted.

The timing of me reading this book is really what has brought the similarities up to me(I do recommend the book). I am not attributing the Solarwinds situation to the Sandworm group. I do not have the expertise to do that. I am saying that it looks like history might be repeating itself. I do not know if anyone else has noticed these similarities, but I assume someone else has. The question remains though, will we actually learn from this, or will this become yet another case of all this has happened before and it will happen again?