Hack The Planet

Because if you don't, who will?

Thursday, November 22, 2018

Being Thankful

With all of the madness going on in the world, it is nice to have a day to sit back and practice gratitude for all of the good (and bad) things in my life. We often think of only being grateful for the good, but usually the bad is what really shapes us. Here are a few things I am thankful for today.

Being laid off twice in one year during the internet bubble burst of 2001 helped my career more than I could have known at the time. In 2000 I was sure I was going to be at a startup that was going to make me “rich”. I had shares, every company that went public went big, or at least seemed that way to me, so I was set. Then the bubble burst and reality set in. I was handed a severance package and was on my way to another startup.

With all of 14 of us in the entire company, and the economy still reeling it wasn’t a surprise when I was let go again, and then later the company folded. This could have really driven the nail into my IT career. There I was, straight off of being let go for a second time, living on a friends couch because I had burned through my severance and not knowing if things would turn around.

I was lucky to get another opportunity at a larger company that had more stability and an incredibly gifted team from a friend and mentor from a previous company. The skills I learned at this new company, and the people I worked with helped propel my career forward in ways I couldn’t imagine at the time. If I had not been let go, I would not have been open to working for a larger organization, I would have not met some of my closest friends, and I would probably not be working in the career field I am. Sometimes a little hardship opens the door to much greater rewards.

Struggle also helps reset what you are willing to do and can be a great ego check. After being let go I was willing to do whatever job was required. Overnights? Check. Overtime? Please, Sir, can I have some more? Everything and anything I could do, I would do. If I hadn’t gone through the hard times, I would have missed out on a lot.

I am also grateful for the good times. Working for and with great people throughout my career makes me feel very lucky. Many of my best friends are people who started as coworkers, and some of those coworkers started off as High School classmates, which makes me even more thankful to have had wonderful people around me throughout my life.

As you move through your career, be it Information Security or something else, surround yourself with good people and you will always be able to work through any hardship or struggle.

I hope everyone has had a Happy Thanksgiving, and a safe holiday season.

posted by holliday at 9:27 pm  

Wednesday, June 27, 2018

What is in a name?

An ongoing conversation in the Information Security community, or hacker community, or Cyber Security community, is all about what we should call things, people, etc. You can see this in the first sentence. I have written about this before I am sure, but over the last few weeks I have seen an uptick in what this or that word means and what words we should use instead. As an example we have recent LinkedIn conversations about the use of the word “hacker”.

The word “hacker” is constantly being debated, as well as if they wear black hoodies (hint: just like everyone else, some do, some don’t). I am going to try, as many others have before me, to add some context to the ongoing discussion.

An early reference to the word “hacker” comes from gnu.org, and says that a hacker is someone that enjoys playful cleverness. It doesn’t call out computers, networks or any technology. You can be a food hacker, or a film hacker, or anything else. I think this use of the word was behind the movie Hackers from 1995. The characters were playful, creative, and just wanted to have fun.

Another reference to hackers comes from the “The Conscience of a Hacker”, or as it is commonly known “The Hacker Manifesto”. In it, Loyd Blankenship, aka The Mentor, explains what it means to him to be a hacker. He describes the freedom, curiosity, connections and unity of being a hacker, “after all, we’re all alike.” I find it still relevant today.

Bugcrowd put out a blog this week in which they try to define the word hacker. I think they do a good job of summing up a lot of the issues, and I appreciate their Burglar/Locksmith == Cybercriminal/Hacker analogy. We as an industry and community have tried to find alternatives to the word “hacker” for the media and others to use when describing cybercriminals. Sadly, hacker is sexier than cracker and will always get more clicks.

To add more to our naming crisis, we run into hurdles describing what we do as hackers. In a recent Paul’s Security Weekly there was a discussion about pentesting, red teaming and others and what they all actually mean. When engaging with customers I also find that not all of them understand the differences between penetration testing and red teaming. Because the industry is always evolving we see new companies coming out claiming to do one thing, but really it is something else but because they can sell off of the misunderstanding they do.

We see the same confusion over EDR, Threat Intelligence, Machine Learning and Artificial Intelligence. It is no wonder that people outside our industry have no idea what we do, when those of us inside it can’t agree on what to call our solutions or even ourselves. I am not even going to get into the issue with our job titles because the “Am I an Engineer? Am I an Architect? Senior? Principal? Staff?” debate, which leaves our customers and peers with no idea of what we do drives me crazy.

In the end, what is in a name? A lot! Use your words carefully, because they can mean many different things to many different people.

Updated: Motherboard has also commented on the word “hacker” and wants to change the definition of it. From their glossary:

“Hackers can now be used to refer to both the good guys, also known as white hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or “black hat” hackers, or “crackers.””

I have a feeling this won’t be the last article we read about the definition of hacker.

posted by holliday at 4:00 pm  

Sunday, June 3, 2018

A few thoughts on hacker culture (or cultures)

Over the last few weeks I have read a few different threads on hacker culture. As I was reading them a lot of things crossed my mind, and it made me think about what someone who was just starting their career or hobby in Information Security, Cyber Security, or hacking for fun and profit, would think about the world they were entering. Here are a few of the discussions and my thoughts and feelings on them.

What is appropriate to wear to a conference?

This is a good example of multiple competing cultures within the hacker community. Some folks in the community want to try to shock people with what they wear, or how their hair is cut. Others in the community are more on the business side of things and expect a certain level of professionalism. Which side of the fence you sit on, I would guess but have no metrics to prove it, comes down to how you came into the community, or your lifestyle outside of it.

It also reflects a feeling I have seen in the community over who is actually part of the community and who isn’t. There is an incredible amount of “Imposter Syndrome” in hacker land, and it is only exacerbated by the divisiveness between groups/cultures. If you don’t have a mohawk, you aren’t really a hacker. If you don’t drink, you aren’t real. If you wear a shirt with buttons, then you aren’t “1337”. In the end, the only thing that should matter is whether you want to be part of the dysfunctional family that is our community or not. How you look, talk, drink or act doesn’t determine it. Sadly, we don’t all agree on that.

One I have enjoyed is what does the DEFCON conference mean to you.

I have been attending Defcon for over a decade, which funny enough still makes me a bit of a n00b. Saying that, I have always loved attending and find new people to hang out with and learn from every year. A large part of our community, I would even say the vast majority, are very welcoming of everyone. The ability to learn many different skills, from lock picking to car hacking, in one location is incredible. Defcon to me is like Summer Camp. A place to reconnect with friends and learn some new skills.

One of the biggest differences I have seen among the different cultures in the hacker family tree is the word “cyber”. Some people love it, some people hate it, and it seems that most people like to argue about it. There was a recent post by Lenny Zeltser on this, and I appreciated the explanation from Jessica Barker:

“The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.”

While I may be partial because I use the word “cyber”, I also agree with this thinking. When I tell someone what I do, or want them to know I am an expert and am there to help, I have to use language they will understand. If I start using jargon they are not familiar or comfortable with, then their understanding is limited and I won’t be as affective. If we are not confident enough in ourselves, that we want to be cool and not use words we feel are just marketing buzzwords, then we are not helping our customers, our fellow citizens or ourselves.

In the end, being part of this community, or extended nerd family, means dealing with many different, often competing, cultures and being able to figure out where (or if) you want to fit in.

posted by holliday at 9:40 pm  

Monday, May 14, 2018

Why find the Unknown Unknowns…

Humans like to solve problems that are readily known or are easy, and ignore ones that take some digging or are difficult. We are lazy animals, but that is a good thing. System Administrators create scripts to eliminate repetitive tasks. This is good. We should work smarter not harder. The issue is when we disregard tasks, or threats because they take time and research. We in Information Security often fix the “known knowns” and hope that we aren’t impacted by the “unknown unknowns (UUs)”. We need to start bringing our unknown threats into the light of day, or a nice dashboard, so that we can act on them and protect our environments from them.

When we think of securing our information and our networks, we often start with our knowns. We know we need to defend our digital borders so we install firewalls. We know we need to protect our endpoints so we install anti-malware software. We may even know that we need to protect our data and we deploy a Data Loss Prevention solution, but I rarely see folks do this intentionally, and if they even have a solution it isn’t tuned and is a check box on some compliance form more than anything else. Admittedly that last one kills me because there are a number of solutions you can get that would have stopped any number of the breaches we have read about, and some we haven’t even heard about yet, but we don’t put the energy or budget into solving this one.

As we move to the more mature security environments you will find vulnerability scanning, looking for those known vulnerabilities, though an incredible 26% of companies said they didn’t have time to patch. Then you may introduce a Network Access Control solution, possibly from your network equipment vendor or one of the few remaining stand alone solutions, but again, I don’t see organizations actually utilizing the investments they have made in NAC. The list of solutions keeps growing as your organization matures, but often times the investment in tools does not mean that they are being deployed or tuned, and that your staff is being trained on them.

With more tools, comes more alerts, and with more alerts comes alert fatigue. I have walked into many a SOC (Security Operations Center) and found alerts all over the screens and analysts just sitting at their desks ignoring them. Like the boy who cries wolf, the alerts had trained the analysts to ignore them. The scary thing is any of those alerts could have been critical and truly important, but because of all the noise it would have been ignored with all of the others.

This is where have a good solution to monitor all of your tools, endpoints, logs and network data is necessary. If done right it will lower your alerts, so that your analysts can spend time on the most critical events, and it will also give you visibility into your environment so you can find those UUs. I have mentioned the NCTOC Top 5 SOC Principles before, and want to point out that number 2 on that list is visibility. We must build visibility into our environments, not just for the UU’s, but to alleviate alert fatigue and give your team their best chance at stopping a breach or other organization impacting event.

posted by holliday at 12:36 pm  

Saturday, May 5, 2018

The Art of Best Practices…

In Information Security “Best Practices” are commonly referred to, but rarely practiced. This is the cause of most of the breaches and hacks that plague us today.

One best practice that isn’t sexy, but is incredibly necessary is updating. This is often a battle with different business units, which means a breach is inevitable. Possibly the hardest part about being an information security professional is convincing the business to do what is best for it. This is where understanding the business, and being able to speak the same language as the executives is key. It also helps if you have the data to back you up, but that is another topic.

At RSA 2018, Dave Hogue, Technical Director for the NSA, discussed how they secure themselves from 0-days using their own principles, including hardening to best practices. We live in a world where our adversaries are able to engineer attacks for disclosed vulnerabilities faster than most organizations are able, or willing, to patch. If you would like to keep your organization secure, you will need to find a way to convince it to keep up with patches and follow as many other best practices as possible.

And if you need a list of best practices, there are plenty out there to choose from.

posted by holliday at 4:27 pm  

Thursday, April 26, 2018

When your adversary makes a mistake…

There is a perception that cyber criminals and nation state hackers are untouchable, and that hacking or cybercrime is low risk to the attacker. While this may be true in some cases, we have seen more and more hackers caught and sentenced for their digital crimes. It has become very apparent that if you commit a digital crime, you have a pretty good chance of ending up in a physical prison cell.

How do we capture these criminals? Just like in real life, we look for their mistakes. Whether it is sharing pictures on Facebook, or forgetting to login to an anonymizing service, these digital desperados are just people, and eventually everyone will have a slip up.

Napoleon said it well, “Never interrupt an enemy making a mistake.” We need to be patient and vigilant, because eventually our adversaries will make a mistake and we need to be ready for it.

That is all for now. Happy hacking!

posted by holliday at 8:57 pm  

Thursday, April 19, 2018

When the lights go out…

For years, information security researchers have warned about attacks on ICS (Industrial Control System) infrastructure at power and water facilities but this year we may finally start seeing some executives taking it seriously…or are they?

In 2010, the world became aware of Stuxnet, an elegantly designed piece of malware targeted at SCADA (Supervisory Control and Data Acquisition) systems at Iran’s Natanz nuclear facilities. The goal of the malware was to cause the centrifuges at the facility to fail, and by all accounts it was very successful. Stuxnet woke up the information security world to the risk of what malware targeted against ICS/SCADA systems could do, and the risks we all faced. Sadly, many people in the C-Suite believed, as many people do, that attacks only happen to other people.

In 2017, the Triton\Trisis malware was discovered to be targeting a vulnerability in Schneider Electric’s Triconex firmware. One victim was reportedly in the Middle East, but how many organizations have been truly impacted is unknown. This RAT (Remote Access Trojan) triggered an emergency systems shutdown before it could deploy its payload, or we may have never have discovered it.

One of the interesting functions in both of these different malware samples is their ability to collect information from the systems they have infected. Stuxnet used this capability to replay information to the monitoring systems to show that everything was okay, while in reality the centrifuges were failing. Advanced, and motivated adversaries build these carefully crafted attacks to not only cause destruction, but to hide themselves and what is truly going on in the environment to extend their ability to cause damage. It is both impressive, and terrifying.

In a recent survey by Tripwire, people from the energy sector were asked about their concerns, the classic “What keeps you up at night?”. The answers were interesting if not expected.

91% responded that they were worried about cyber attacks against their ICS systems. It makes sense that they would be concerned, but I wonder if the other 9% didn’t understand the question. If you are in the energy sector and are not worried about this, then you should be replaced because you don’t understand your threat model and what you are up against.

70% responded that they were concerned that an attack would result in a catastrophic event. With the capabilities that Stuxnet, Industroyer, and Triton have at their disposal, the likelihood of an incident that causes massive loss of life is growing.

The one statistic that I really want to share, is that 56% of respondents stated that they will only see more security investment “Once there is a significant attack” against them. This is incredibly telling. This comes from the idea that it is cheaper to fail or be breached, than to properly secure your environment. Sadly this has proved out to some degree, and even more sadly shareholders are valued over lives.

I am sure we will see even more attacks moving forward, and I can only hope that we learn how to properly invest, and protect our energy and water facilities before it’s too late.

posted by holliday at 1:08 pm  

Saturday, April 14, 2018

The Cybersecurity Talent Gap

It has been talked about for years, but the cyber security talent gap, or the ability to hire information security folks with any real expertise, is still massive. In a recent study it was taking some organizations over 6 months to fill a position. Couple that with the ever increasing rise in cyber crime, and it doesn’t look pretty.

I spoke on Cybersecurity Education a few years ago, and the numbers then showed we would have over 1,000,000 unfilled seats by 2019, and from other reports it looks like we are already there. We are seeing more, and more need for individuals that can perform key cybersecurity duties, and a greater lack of skilled candidates than anticipated.

When I spoke, I mentioned we needed to train people using techniques such as gamification, and now a report from McAfee is looking at bring gamers into the field. I think this is a good idea, but they have to want to make the jump. Cybersecurity is a lot of fun, but only for those who are passionate about it. Gamers may be more likely to enjoy it than others because they are used to having an active adversary they are competing against. I know I love it.

One thing that seems to have been lost in the talent gap is how do we retain talent. As an industry we really need to make sure our executives and HR teams understand that it is easier to train someone, than hire the perfect candidate. Offering competitive training and helping your own people to future proof their careers, is a way to keep your best, and most loyal employees, but also to differentiate your organization when you are trying to hire that ever, elusive candidate.

To end with some good news, it is only taking organizations 101 days to discover an incident , down from 416 days in 2011. I mean, it isn’t great but we take any win we can.

posted by holliday at 4:59 pm  

Thursday, April 5, 2018

Another week, another…

Every week I wake up to news of a breach, or that a previous breach’s headcount has increased, or there is a new attack. We are still living in a digital wild west, where security sheriffs try and protect their town, but marauding bands of thieves continue to pillage with almost no risk of being prosecuted. Time to pull ourselves up from the latest news and get back to protecting our users.

Here are a few stories from this week that made the headlines and drove home the point that we have to do better.

After all of the news about Facebook giving access of user’s data to third party companies, which was then used against those user’s, the hits keep coming with the number of user’s impacted rising to at least 87 million and it will probably continue to grow.

As much as I love Panera’s soups and sandwiches, the way it deals with security vulnerabilities leaves much to be desired. If companies continue to behave like this, researchers will stop reporting vulnerabilities and the impact to the company will be much worse.

Anytime we make a tool for law enforcement, we must assume that it will be used by criminals, or in this case spies. Once a technology is available to anyone, it is available to everyone. We need to think about this as the battle over encryption and backdoors continues to be fought.

I like to end things on a fun note, so if you are going to be walking through a jungle you may not want to wear “Obsession for Men” unless you like the attention of cougars, and not the human kind.

posted by holliday at 8:43 am  

Friday, January 19, 2018

There is no edge…

I remember early in my career that when it came to security you had to protect the edge. You put in a firewall, then you would put in an IDS as we moved forward, and everything was about the edge. It was a castle model. Basically, we built the walls, the moats and all number of protections to keep the invaders out. I don’t need to rehash all of this because it has been talked about before.

Move forward to the last few years and the edge has dissolved. We have kept up our walls and protections but our business has moved beyond our walls. Our business is done in the fields, and other towns and castles, or all the way across the world. The invaders don’t need to come to our gates anymore, we take our treasures to them, in the shape of our mobile and cloud connected devices.

This week a new malware campaign, Skygofree, hit the news wire and it was completely focused on mobile endpoints. As I was reading different reports about the malware I thought about how easy we have made it for the invaders.

We built our defenses, but haven’t trained our people who were inside the gates how to defend themselves, or even what to look for in an attack. We gave our people access to our resources from anywhere in the world, but not the tools (mental or digital) to protect them. Then we wonder why we were breached.

The digital world continues to move forward at break neck speeds and our protections continue to dwell in the dark ages. Until we wake up to the new reality that there is no edge, we are leaving ourselves ripe for pillaging.

Train your users, build protections into your mobile workforce devices, and keep an eye to the future as there will be new, emerging technologies that will change our protection landscape again before we know it.

posted by holliday at 11:58 am  
Next Page »

Powered by WordPress