Silicon Shecky

Infosec Practitioner

Connect

Ransomware, Are You Ready?

By Leave a Comment

Developing a Ransomware plan is much like anything else. Sounds simple, protect against malware. The reality though is much different, and it starts with a properly educated security team to come up with a comprehensive and cohesive plan.

You need to know how your network is laid out. A flat network (which you find in a lot of Small Businesses) needs extra consideration if it is going to stay flat. If you are segmented, how are you segmented.? Do you have any pull with the network team to adjust ACLs, Firewall rules and topology to a more secure setup?

Do you know what your company’s crown jewels are? What data is the most valuable, what data is ok to be without for a period? This helps you direct what needs the best protection when you need to decide what gets budgeted for (hopefully everything) or if you must be selective due to costs.

Do you have offline or immutable backups? Are they stored in a different location (say the cloud or a cold storage physical spot)? Do you have a fully functioning copy of your Domain Controller that is kept offline except for an occasional sync with the other DCs? That cold DC could get you back up and running much faster than without one.

Have you tested your backups? Have you tested a full bare metal restore of your servers? Do you know what order to bring the servers back online in? Are you sure that you are not just opening yourself up to another attack because your backups have the threat actors backed up in them?

Do you have buy in from all the departments involved and from the higher ups? Have you multiplied the time to restore by 3 to account for issues with restoring functionality?

This is just a quick list of some things to think about. Truth be told, even if you pay the ransom and get everything back, you must figure you are ready to be compromised a second time. Better to get the data and figure everything is going to be a loss in the long run so plan on rebuilding everything while using the old servers to keep things running.

Ransomware is a tough topic, and one that is foremost on the executive mind currently. How long until it drifts into the background like so many other issues do when a new tactic comes along. This is the change to build that defense, which can aid in other defenses. Just make sure you are covering everything.

 

Gatekeeping and Treatment of Others

By Leave a Comment

There is an issue in the world that we see crop up in the Information Security/Cyber Security field, gatekeeping. We tend to equate it with making it more difficult to get a job, harder for people to break into the industry, and of course expecting people to just know things. The world of IT/IS we pick on end users for not knowing behind their backs pretty regularly. How do we know that they are not trying to learn though? How does it make someone who is just learning feel when you treat them like an idiot?

I’m not going to lie here, I’ve been guilty of picking on people at times. We all are guilty, especially when one claims to be an expert when they are not. There is also a number of people who are on the autism spectrum or have other issues that make them awkward and just want to fit in, or overly excited when learning something and it works. This has happened to me in the IT/IS field, but most recently outside of it, and let me share this outside instance since maybe it will make things a bit more relatable and be a better moment to learn from for all of us.

One of my hobbies is trains, big and small. I got back into this hobby thanks to my son, who started loving trains when he wasn’t even a year old. It prompted me to get out my old HO scale trains and get them running again, along with buying some new ones. This isn’t my first time being involved in the world of model railroading/toy trains, but the last time I was into it, I was a kid. I drifted away from it when my frailly moved to a bigger house right before 7th grade, and we stopped setting up the trains during the winter because of space required for them. Up until then we had set up my trains and my grandfather’s pre-WWII standard gauge sets for the winter time.

Getting back to present day, when my father passed away he was getting ready to get my grandfather’s (mother’s side) trains up and running again. As my son hit his 2nd birthday I found out about local train shows, and found some people there who took a look at these train engines and said they were in pretty good shape and I should be able to run them with a little work. They gave me a list of things to check and do and I went at it. I got those up and running in the spring of 2019, 4 months before my mother passed away. She was happy that she got to see them run again.

During this process I became a huge fan of a specific standard gauge train set that the Lionel corporation made called The Blue Comet. I would check online from time to time, and always see it well out of my price range. Recently, I was able to purchase this train set through an auction at a reasonable price for me. The problem with the auction houses is they grade on cosmetics and do not guarantee the engines are in working order. This engine sort of worked, and had a partially busted wheel on it. I did what seemed like, and over has been a good idea which is to post in a Facebook group about Tinplate Trains that I am a part of, since I could not find any actual instructions for repairing/rehabbing the motor. A few pictures and some threads, and I had pulled the motor apart, cleaned it up, fixed the issues which were causing it to only partially work, and started to put it back together. I thought I had done a good job, and was waiting on some parts that I had ordered which I need before putting the motor back into the engine shell, so I took a video of the motor running with the wheels on it and posted it to the group (I also posted the video to my twitter timeline since I put some of my train stuff there).

The response in the Facebook group were going along great from Good Job to issues some saw with the wheels wobbling too much and a squealing sound. Most of the comments included advice on how to go about correcting these issues. Then Today (5/21/21) I got this comment:

Now to be fair, I was proud and when I made the video I thought it was running beautifully. I did use that terminology. On the original post that this comment was made I had thanked the group that had been giving me advice on fixing the motor. Never in the video did I claim to be an expert. In other comments which had mentioned issues they saw I thanked them for seeing the problems and asked for advice. One person even has been messaging with me, wanting to help me learn. Even with the advice in the later half, seeing this comment first thing in the morning today made my heart sink a bit, but also got me angry, so I responded to this person with:

The only other comments to this critic was calling him out for gatekeeping from one of the people who has been giving me advice as I have been going along. The thought of just giving up on doing this had crossed my mind when I initially read the comment ripping on me, but I decided more people have been encouraging, and I want to be able to teach my son, so I am not going to quit.

The moral of the story is that one small snarky comment without understanding can be a huge gatekeeping moment in any field. Sharing information, and helping to teach each other, no matter the level we are, is the way to a more secure future. There is a time and place for snark/teasing especially once you know someone, but realize what damage it can do to someone’s aspirations and mental health if done poorly or at the wrong time.

Are you sure it is the execs?

By Leave a Comment

Security is all the rage today. Supply Chain attacks, Ransomware, Data Exfiltration, it is all in the news pretty consistently. We as security practitioners have a tough job. We know there is no such thing as being 100% secure so we make our best effort at securing and detecting. We also realize that detection and reducing dwell time is huge, so we ask for more people, more tools, more money, and it seems that execs are listening. Reports show that security is high on execs minds. So if you are a small to medium business why can’t you detect better? We all know that there is a bottleneck somewhere, and I am becoming more and more convinced it is not at the higher levels. It is more a division of duties and departmental struggle.

If your company from a security and IT perspective is designed well, accounts have only as much privilege as they need. A person in security should not have Domain Admin rights as an example. A person in the security department also should not be in charge of configuring endpoints, but should be working with the other IT departments to deploy such technology. So if you want to configure and deploy say Sysmon, the security people should get everything set for deployment and then pass it to the proper department to deploy. Here is where a bottleneck can come in that we do not think of initially.

Using Sysmon and collection of the data from it as an example, since Sysmon is a quality, free and popular product, how are other IT departments possibly the bottleneck in deployment? We, as security engineers, should be able to pass a set of install packages and configurations to the IT team for them to deploy. They just need to deploy it, but wait. How swamped and understaffed is that IT department? Have they bought into the need to deploy this? Do they have time to test on their standard configurations? Then you need to think about what SIEM is the data going into? Who owns that product? Does it actually fall under Security’s budget, or is it under ITs and where under ITs? Is there going to be an increase in cost because of more data coming through (This is one spot where SIEMs fail us is in the pricing of ingestion)? Will this kill their budget? Is there going to be a fight over this that will leave IT less likely to work with us in the future? Who is going to support this new addition to the systems? Do they need training? What is the cost of training and how long will that last? Will it cut into time for their day to day job requirements? Is there a different, more business critical project going on that will cause this to be put on the back burner?

It is easy to point fingers and lay blame, but are security departments doing their due diligence on the whole situation, or are we creating yet another problem. Yes it gets frustrating to us when we know something we see as a simple, no-brainer can’t be implemented. Yes it does blind us when the tools that we got buy in from the execs on are stuck in limbo and not as effective as they could be. Are we though bringing the other teams to the table, just like we want to be brought to the table when they are bringing in/developing/deploying new technology, or is it do as I say not as I do?

Security is something we need buy in from all aspects of our organizations, not just the Executives. Are we sure that the bottleneck is not IT, or even us and how we treat others?