Silicon Shecky

Infosec Practitioner

Connect

Another week down

By Leave a Comment

So another week, another set of same stuff different day.

The Reverse Engineering class through the Brakesec slack is going fantastic. So well in fact that there is an extra week added onto it. The videos should be public mid to late december through their youtube channel so you might want to check that out.

There are lessons to be learned whenever an employee leaves. Especially when that employee has the majority of knowledge of the company and their systems, and is on major projects. First thing is do not force any of those projects through if they are not really ready. The fallout can be painful, and create all sorts of other security issues. something to remember, never have a single point of failure if at all possible.

Legacy systems are the soft underbelly of all corporations. Red teamers love finding out about them, as they are usually the easiest technical way in (Social Engineering I think still tops the list of easy for them). The other issue it can have is slowing down the adoption of newer end user systems that still get patched regularly. Big security tip I have learned from this is all systems need to have a life cycle put in place from the time they are being planned. Know and keep up to date with what replacement options are for systems also, as this will help you budget in advance. It will help keep systems in a positive life cycle for patches and connectivity. Too many times over the years have I seen people wait way too long to do those legacy upgrades, and it costs. It costs in having to find a way to do multiple jumps through versions of outdated software to get to the current version, not just in money for the software, but in time and resources to plan and test the upgrades.

 

That is all I have for this week. Next week there might not be a post with the Thanksgiving holiday here in the U.S.

Forward and Back

By Leave a Comment

Few things happened this week. First was that I took (and passed) the CISSP exam. 6 Months of studying, worrying, and panicking all through. The test itself was not exactly what I expected, as it seemed to focus on a couple of domains and barely touched on others. Still, that is something I am glad is over with.

The other big thing this week is a lesson for all of us in the field, that I think is more important, and one we overlook at times. Single point of failure. No, I know what you are thinking, Shecky, you just took the CISSP and passed, you learn about single point of failure as part of studying for that exam (and a good number of other IT/Infosec exams). We all know how expensive it can be for equipment to avoid it. We aren’t overlooking it. Yes we are, and in a major way.

How many of you have a person that is the go to guy? you know, the one where if they won the lottery and left, is so ingrained into everything with so much knowledge that it would cause problems. I’ve been dealing with a brain dump recently due to someone like that leaving. Documentation needs to be updated (or created). Knowledge needs to be transferred. It is something we can easily overlook as we are doing our day to day business. Now, I am no red team person, so I do not know how much it affects them, but every place I have worked, there has always been key people like this. It also becomes tough to get knowledge from them until they leave, as they feel the knowledge helps keep them employed and untouchable.

Here is the thing, this also gets covered in the CISSP exam, and is something basic called Separation of Duties. No one person should be holding that sort of keys to the kingdom. There has to be Job Rotation to help combat this. Documentation writing is great and all, but nothing beats hands on training in my opinion, and getting mentored in areas you do not know at your job is a great way of getting trained. Also it prevents that single point of failure, that one guy who is something happens too much vital knowledge is lost.

I know that there are a lot of people in the world of infosec that scoff at the CISSP, but just looking at this small topic that touches on it shows the need to revisit it. No it is not super technical overall, but it does delve into basics. Those basics are the building blocks of security, and that is something we forget about, sometimes until it is too late.

Same old thing

By Leave a Comment

This week, I do not have a lot to go into. Just a few small tidbits.

I started a RE class this week through the Brakeing Down Security Podcast slack and users. It is a four week class, and this first one was nuts. Basically going over assembly language and how it works. Been way too many years since I had thought about it from a how it works point of view.  I applaud Bryan for setting these affordable classes up, and they are worth CPEs.

Speaking of studying, you all can groan, but I have been working on my CISSP. My current employer wants me to get it. I am scheduled to take the exam on Nov 6. I love that people who know me have more faith in me passing it than I do.

Finally, Black Hills Information Security has a post about using Google Calendar as a point for phishing attacks. They include the disclosure timeline at the end of the post. It is a good read, and something to be aware of, especially with how common Google Calendar is used.