BSides Toronto 2016 - Review

https://dlogic.ca/comics/CDNDarknet20161017.gif

Just this past Sunday I had the pleasure of attending the 4th annual BSides conference in Toronto.  It was a perfect day for a conference - the weather was warm, wet, and just dingy enough that we would happily sit inside a dark lecture room without a twinge of regret.  So grateful was I for the padded seats, I couldn't complain that the venue wasn't licensed for drink, on a Sunday at 9am.

Ben Hughes kicked the day off with his talk "How you actually get hacked."  We were encouraged to keep our threat models based on reality, not on TV.  Are we good at evaluating risk?  Ben reminds us that the NSA should probably not be in our threat model (unless we are google), ditto for the nation state attackers. Though my thoughts are that you probably want to keep the nation states in the threat model if you are a major utility company, a hosting provider for the electronic health record, or the operator of a major subway network.  However, point taken, most of us don't need to be concerned about being attacked by Russia, I mean China, hold on, Russia.

Next Boris Rudakov appealed to our inner Batman - using bad for good we learned how the Rootkit feature that can "hide my docs" can be used to evade ransomware itself.  Boris provided a nice demonstration and explanation for how to hide the Documents folder by loading the rootkit as a driver at boot time and defeating the kernel functions commonly used by ransomware for crawling the file directories. I'm interested to hear more about if we could, in future, be using this file hiding technique, together with randomly generated locations determined at system start-up, and white-listing applications to avoid ransomware and other malware.

Rounding off the morning Mahesh Tripunitara enlightened us on the Android approach to privilege management using capabilities instead of setuid permissions.  He presented the setuid approach in Unix and its risks, even considering the addition of fixed capabilities.  He demonstrated how Android permissions groups and confusing naming conventions are not a huge improvement over the setuid approach.  And even with fine-grained privilege management, users really ultimately have only two choices:  accept all privileges requested, or risk that your Android app won't work.

In the afternoon, Adam Greenhill and Christina Kang presented their group research project (members also included: Desiree McCarthy, and Peter Chmura, not presenting) with a very catchy name "Decryptonite."  We saw how this team, with limited time and resources, were able to quickly learn Windows internals and analyze over 80 unique families of malware to write an application capable of heuristic detection of Ransomware.  Decryptonite looks at file I/O operations and kills processes running with unusually high writes/second or encryption behaviours.  To learn more about Decryptonite, check out the open source project on github https://github.com/DecryptoniteTeam/Decryptonite

Judy Nowak presented her ideas for what is needed to integrate security incident reporting in an IT Ticketing system.  Through her research we were shown how many IT ticketing systems are incompatible with the fields needed to track security incidents.  She also had us consider some of the complexities involved, such as exposing sensitive security information to IT helpdesk, transferring tickets that are erroneously categorized, and the need to track the actual incident date vs incident reported date.  Spreadsheets are a start, but I'm thinking that these would not provide the immutability needed for a medium to large enterprises.  It was noted by a member of the audience that BMC Remedy has these features available, but if your IT ticketing system does not provide the fields you need to track security incidents, then this talk should serve for you to be a call to action - make request for improvement with your ticketing system provider, and make the world of security incident reporting and tracking a better place.

The last formal presentation was provided by the good folks from Telus ( "the future is friendly" tm)  - Milind Bhargava and Peter Desfigies.  They presented their research results on the Canadian Darknet.  This is not, as I imagined, an outlet for the sale of blackmarket goods in exchange for maple syrup. The Canadian Darknet allows for the sale of Canadian identities and other illegal or shady items, for currencies, sometime digital like bitcoin, or paid for by other stolen goods such as PayPal accounts or gift cards.  Is that kijiji advertisement by the 26 year old single female looking for someone to show her how to use the Darknet a legitimate request, or police entrapment?  I leave it for you to decide.

Thanks to everyone who presented, including those that I didn't cover in my review.  You all gave me something valuable to think about.  And the conference organizers for providing an awesome BSides Toronto 2016 event!

------
Ann-Marie Westgate is an information security consultant with Digital Logic Solutions Inc.
Follow me on Twitter @AM_Westgate
Subscribe to me on YouTube: https://www.youtube.com/channel/UCRKrOK7r4jq5M5Bawx8wnMg

Acing the InfoSec Interview

https://dlogic.ca/comics/Yinterview20161013.png

When you are finally able to land that interview for the perfect job, chances are you will want to get prepared before the big interview day. You will get interview questions that are designed to find out about your past experiences.  These may be fact checking and aptitude testing, or they might be the Situation, Action, Result (SAR) type interview questions.  When all the questions are done it will be your turn to ask a couple and that is another way you can stand out in the interview.

Fact Checking Questions

These first type of questions are used to try to assess your past experience and skills with this particular job.  These might be very specific, such as "have you ever used the XYZ vulnerability scanner in your past roles?" or "how many assessments would you perform per year?"  For these specific questions it might be difficult to judge if more is required, so the best approach is to answer the question and expand a little on your role, for example in using the specific tool or what influenced the number of assessments that you did.  Keep an eye on the interviewer's body language to see if the short answer was sufficient or if they wish you to discuss further.  If you are not sure, it doesn't hurt to ask - "would you like me to tell you more about my specific duties as it relates to tool XYZ?"

Behavioural Questions - Situation, Action, Result 

Another type of interview types of question is sometimes referred to as "SAR" - situation, action and result.  Let's look at how this works:  The hiring manager asks the interviewee to describe a specific experience and outcome.  For example:  "Tell me about a time when you had to deliver a failing security report to a client.  What did you do and what was the outcome."  This is a typical SAR type question, and hopefully you have done your homework before the interview and have an answer already formulated!  Let's work through this example to see how you could answer in an information security interview:

• Situation:  Set the scene for your chosen example "Working for customer ABC (who will remain anonymous), I performed a penetration test over the course of 10 days.  On the first day I found several critical vulnerabilities which I needed to communicate to the customer right away, and then by the end of testing there were more findings than I could list in the time allocated for reporting."
• Action:  What did you do in this case?   "I communicated the critical findings right away, as is customary for these types of engagements and written in the SOW (Statement of Work).  As far as the failing security report goes, I summarized the findings into categories and created a report that stated the facts and included the proof of concept screen shots.  Because there were so many findings, I focused on the most critical and high findings, then provided a listing of the mediums without as many details."
• Result:  What was the outcome.  Was it a successful outcome?  "The customer was obviously very unhappy that report has so many findings, and it was probably a bit of a wake up call.  I was very supportive, and walked through each of the findings with the customer and answered the questions to support my findings.  We were able to sell retesting services to verify the remediation."

Here are some information security specific interview questions that can be answered using the SAR approach:

1. Did you ever have to explain an information security topic to someone who is not in the security field?   While this is asked as a yes/no question, reframe the questions to describe a scenario where you worked with a non-expert, what did you do and what was the outcome?
2. Tell me about a time when you had to take over a security testing procedure and there were no written standard operating procedures in place.
3. Have you ever had to respond to a security incident when you were on call?  What was the incident and what was the outcome?  Note, you should be careful not to give away too many details - it is okay to talk in generalities without giving away the specifics of the employer and their environment. 
4. Security is often seen as an inhibitor of business being able to get projects done.  Tell me about a time when your client thought that you were impeding progress.  How did you handle it and what was the outcome?
5. Did you ever work as a security consultant as part of a cross-functional project team.  What was your role and were you successful in the role?

There are many interview question banks online, and it is worth working though these questions with someone who can help you practice your interview skills.  Here is one example of a question bank:  https://careerservices.wayne.edu/behavioralinterviewinfo.pdf  While some of these questions are not security specific, by preparing your responses, you will begin to find them formulaic to answer and it will be easier to answer SAR questions in interviews even if they are not ones you had prepared.

Human Resource Questions

Of course, you will get questions that are more typical human resource questions.  Don't underestimate the importance of these questions which are designed to see if you are a good fit with the culture of the organization.  One questions that time-after-time candidates bomb is the question:  "Tell me about when you received negative feedback - what was it for and what did you do to improve?"  This may also be asked as simply "Tell me something about yourself where you need to improve."  The interviewer asks this questions to assess your emotional IQ, that is, how well do you really know yourself.  Everyone has faults and people with high emotional IQ have no difficulty discussing their areas of weakness and how the mechanisms they use to keep themselves in check. Here's an example for how one person might answer this question.

• "I am, at times, excitable or passionate at work, which can be off-putting or can overwhelm other people.  So to cope with this, I keep my caffeine intake in check, and am especially cautious when attending meetings with senior management to remain calm so as to not overwhelm them with information or talk too much."

Remember, no one is expecting you to be perfect, just honest.

Final Words of Wisdom

You will get a chance to ask questions at the end of the interview.  For these questions, this is the time that you can really show that you have done your homework.  It is important to ask questions that are specific about the company, recent stories in the news - for example new initiatives or partnerships that might been published on the newswire.  I recommend leaving questions about work days, work from home, number of vacation days and the benefit package until you have an offer (most of these can be negotiated) or you may as the human resources contact who arranged the interview.  Similarly questions about training programs, and whether your employer pays for certifications can wait until you are near an offer, then you can have a call to confirm if this is part of the overall benefit package. One question which is my favorite that you can always ask at the end of the interview is "What keeps you up at night."

Be careful not to expose your previous employer's sensitive information!  You may be talking about your last employer, but in your interviewer's head they hear you talking about their company in the same way.  Will you be slagging them off too in a couple of years?  Be careful not to say anything disrespectful about your previous place of employment, your boss, or your colleagues there.  Security is a small world where you will find colleagues that you will know and work with for years to come.

As we continue to hear of the skills shortage in information security, you may find yourself at the interview table, either to start your new career or to make a change in this highly fluid and dynamic environment.  Many of the interview skills you will need can be practiced and mastered with sufficient preparation.  So grab a buddy (or a video camera) and a notebook to begin practicing your interview questions and responses.  Prepare now to score your next great opportunity!

Do you have sample questions for InfoSec interviews?  Share them in the comments section below.

InfoSec Awareness - How old is your password?

How we choose our password has changed over the years.  I remember in 1994 we were told in University that our Solaris sysadmin was turning on mandatory passwords and we revolted.  At first we tried all using the same password, and then that password got blocked.  Every new "group password" we created would cause another forced round of password resets.  In the end we resigned to it - if we wanted to share homework, it wasn't going to be by browsing to our friend's home folder and copying it over.  And as we all know now, these password controls ended up being for the best, as data became more valuable.  At first, a word and possibly a number seemed like enough.  Then dictionary attacks, which work by trying to bruteforce passwords based on common words, made it fairly easy to crack a one word password.

In the early 2000s we were being educated to create passwords that were harder to guess and immune to brute forcing by, wait for it, using two possibly unrelated words.  E.g. "umbrella cow"  Complexity rules were added to ensure we also had a capital letter, a number, and the special character was icing on the cake.  Though in most cases that special character was likely the ! at the end of the password. Umbre11acow!

By 2010 I began to hear about tips, like using the first letter of easy to remember phrases.  Based on song titles, based on funny phrases, or how about "pronounceable".  Okay these are probably better than the two words approach but each of these has their own weaknesses too.  For example, passwords based on bible phrases are certainly going to be less secure than passwords created from a sentence known only to you.  And I personally would never use an online tool to create a "funny phrase" for me to use as a password - why not just ask the password crackers to assign you a password?

It is 2016 and the truth is that there is overwhelming opinion that passwords are broken.  That is, the only good password is a random password.  Password vaults have made "memorizing" passwords a thing of the past.  For authentication, always use two factor or multi-factor options if they are available to you.  Welcome to the age of data phones where biometrics are protecting our password stores on our mobile devices.  Where we store our passwords, which I hope have been updated since we created them in 1998.  :-)

- AMW

My Top 10 Take-aways for PCI North American Community Meeting 2016

I had the pleasure last week to travel to Las Vegas and attend the PCI North American Community Meeting.

In honour of the PCI SSC's 10th anniversary, I have created my own personal top 10 take-aways.  This is my list of most important messages from the conference in reverse order.

Please feel free to respond in the comments.  What were your take-aways?

10) Emerging technologies:  we will see biometrics used more often, it will be used to authenticate transactions for mobile wallet.

9) Mobile payments, more specifically the practise of using the mobile devices as the point of interaction / point of sale, requires the use of an approved SRED device.  SRED is Secure Read and Exchange of Data, and allows for encryption at the point of capture.  The list of approved devices SRED devices is on the PCI website.  Go to https://www.pcisecuritystandards.org/.../pin_transaction_devices, and set "Functions Provided" pull down to "SRED."

8) David Phister of Diebold Nixdorf said that long edge card readers will be the way forward for ATM.  According to David, they do not carry the same risks for card skimming devices and can worked for EMV.  As an aside, this was my favourite talk overall - why are ATMs so interesting?  Just google "Diebold ActivEdge," to learn more about long edge card readers. Other tidbits from this talk - discussion of ATM malware, the need to sign ATM software, and boot process integrity checking.  Perhaps it just reminds me of my days working for a regulator of electronic gaming equipment.  Also, did you know and the 18-24 year old cohort have the strongest preference for cash at 40%?

7) Special Interest Groups (SIGs) for 2017 will be chosen by election after the European Community Meeting.  For next year, the choice of SIG will be from the pool of previous SIGs, so that in 2017 we can update these materials.  i.e. no new SIGS for 2017.

6) Talking to the Board of Directors - the Boards need to start asking questions, like why are we doing what we're doing, challenging assumptions, why are we keeping certain data, have we looked at how to devalue that data.

5) SDLC - 80% of attacks are at the application level.   Organizations should ensure documented secure SDLC is being followed.  I think the emphasis here is that requirement 6.3 may not be given the full attention that is needed and organizations would be well advised to strengthen their SDLC to improve overall security, not just to obtain PCI compliance.

4) Chris Novak, Verizon - up until now, organizations are concentrating on north / south protections.  Using Multi-Factor authentication helps protect against east / west threats. I agree.  Perhaps east / west threats should be examined more closely in our annual threat risk assessments and security shored up accordingly.

3) Chris Novak, Verizon said that we could be better at using our people in the line of defence as a type of human intrusion detection system.  This means educating them to speak up if they see anything unusual.  That is, it is not enough to just report confirmed security incidents...  Instead  "If you see something, say something." How catchy is that?!  I see it is a slogan of the Department of Homeland Security:  https://www.dhs.gov/see-something-say-something

2) Troy Leach in his state of the council keynote said that organizational focus has been (1) Get compliant, (2) Stay compliant, and (3) Simplify compliance.  More and more companies are now looking towards the simplify compliance stage.

1) The strongest theme throughout the conference was on moving past the "if you don't need it, don't store it" towards a push to devalue account information using tokenization or encryption.  I detected that there was a strong push towards tokenization, and secondly towards P2PE and end-to-end encryption solutions that protect card data at the point of capture.

So that's it - what was your top 10 take-aways from this year?  Please post in the comments below or connect with me on LinkedIn.

Picture Credit:  http://www.classism.org/wp-content/uploads/2014/03/cake.jpg

Protect Yourself from Ransomware - Security Awareness Message for June 2016

Ransomware, Photo credit Carlos Amarillo / Shutterstock

In the past couple of months we have seen a growing number of ransomware campaigns targeting healthcare(1) and critical infrastructure(2). This month’s security awareness message aims to address questions staff may have about how to protect themselves at home and at work.  Feel free to use the following text to spread the message in your organization, and to create a culture of security:

“You may have heard about “ransomware” in the news, and how cyber-criminals are targeting commercial organizations by spreading malware.  Did you know that your home computer may also be at risk?  This malware, when it is installed, works by locking (or “encrypting”) all the files on the computer and any other files that it can find through shared folders, and then demands payment to unlock (or “decrypt”) these files.  The ransom money is used to fund organized crime, and further encourages the proliferation of these types of attacks.

Here are some suggestions for how you can protect yourself from ransomware both at home and at work:

1. Always ensure that you have more than one copy of your important files.  That way if your hard drive is encrypted by ransomware you can wipe it clean and restore your files from backup.
2. Keep your backups in a safe location, offline if possible.  Do not store backups on the same computer, or on a network drive that is always connected.
3. Do not mount network shares or join a Windows Workgroup or Homegroup unless you absolutely need to.  Connect to the network share when needed, and disconnect when you no longer need access.
4. Keep your operating system and application software up-to-date by checking for and installing patches.  Ensure that your antivirus software is up-to-date and running.
5. Avoid logging in with administrator accounts.  Provision other users on your home computer with regular user access, not administrator access.

And, as always, your best defence is to never click on any link that you do not trust.

If you suspect that you have installed ransomware and your computer is being encrypted, then power off the computer immediately, disconnect the network cable, and call the helpdesk to report the incident and recover.”

Remember to include a link to your organization’s relevant policies for where and how to backup important company data on laptops and desktops, and reference the relevant sections

Here are some links to further reading:

• Microsoft Ransomware FAQ (for home PC users) https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
• FBI Warning on Ransomware https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise
• Case Study (1):  Hollywood Presbyterian Medical Centre http://www.cbc.ca/news/technology/hollywood-hospital-hack-ransomware-trends-1.3462062
• Case Study (2):  Michigan Power and Water http://www.securityweek.com/michigan-power-and-water-utility-hit-ransomware-attack

This article first appeared on LinkedIn May 12, 2016 https://www.linkedin.com/pulse/infosec-awareness-message-june-protect-yourself-from-westgate

Follow me on twitter @AM_Westgate  

Ann-Marie Westgate is a Sr. Information Security Consultant with Digital Logic Solutions Inc.  Please contact us for information on how we can make your security awareness program easy.

Security Training and Awareness - Creating a Culture of Security

What is the difference between IT Security Training and Security Awareness?

By planning for and providing for both Security Training and ongoing Security Awareness campaigns, your whole organization will benefit.

Flickr: Stfaiths Road safety training 009

Security Training

You already know that Information Technology (IT) security training is an essential part of an enterprise security program. It provides targeted instruction on your company’s security policies, procedures, and techniques and focuses on developing skills such as secure coding or using a security tool. Also, you can measure what your participants have learned. Was the training effective? Have the participants learned the material? Can they can understand and apply the new ideas?

Conducted by knowledgeable instructors, effective training programs go beyond asking participants to read a document and attest to understanding and agreeing to comply. Some examples of security training include:

• Annual Security Training explaining the acceptable use policy and information security policy with all employees,
• Data Protection Training to understand requirements for the protection of Personal Health Information (PHI) or credit card information,
• Secure Development training for developers to learn secure coding practices, and
• Contact Center Security training to prepare staff to detect and respond when they are a target of social engineering.

Security Awareness

Security awareness, on the other hand, is more about reinforcing general security principles, and drawing attention to a particular issue so that they can respond accordingly. You can foster this culture of awareness through reminder messages that benefit the organization as a whole. Awareness campaigns complement training by reinforcing the company's policies, procedures, and practices covered in your targeted security training. Just as you remind young people to look both ways before crossing the street, these campaigns remind your colleagues to keep security threats front-of-mind, and to be aware of new and emerging threats.  

In contrast to training programs, security awareness campaigns may be less formal in their delivery, and generally do not require you to collect evidence or evaluate the participants. According to NIST SP 800-50 “The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.”

Some examples of issues that you can highlight in your security awareness program are:

• How to choose good passwords, and how to keep them secure
• Piggy-backing, challenging those who do not use the door card readers
• How to prevent computer viruses, and what to do if you are infected
• Recognizing phishing emails, and remember to click only trustworthy links

By combining Security Training with an ongoing Security Awareness program, you will help to create a culture of security and promote vigilance. In short, your organization will be better prepared to address the security of information and technology assets.  

The protection of information and technology assets is as much a human issue as an IT issue. Take a moment to think about your own Security Training and Awareness programs. What formal training do you provide? Do you have a program of ongoing Security Awareness? What can you do to better to create a culture of security?

If you enjoyed this article, please “follow me”. Stay tuned to my next segment where I will discuss some of the business drivers for Security Training and Security Awareness. Have anything else to add? Please post them in the comments below.

Ann-Marie Westgate is a Sr. Information Security Consultant with Digital Logic Solutions Inc. http://dlogic.ca

@AM_Westgate, LinkedIn: https://ca.linkedin.com/in/amwestgate

Further reading:

NIST SP 800-50, Building an Information Technology Security Awareness and Training Program http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf 

Security tips for laptops and mobile devices - Security Awareness Message for May 2016

Canadians recognize Victoria Day this year on Monday May 23. Why not use this month’s cyber security message to create a culture of security by reminding staff about safe laptop practices?  Feel free to use the following text to spread the message in your organization:

Celebrate Victoria Day!

“Monday May 23 is Victoria Day and many of you will be retreating to the cottage or away on a weekend break to escape the hustle and bustle of the city. Whether you are bringing your work laptop or your own personal computing equipment with you, remember to practice these safety tips:

1. Never store your laptop or personal computing device in plain sight of your vehicle where it can attract the attention of thieves. Store it in the trunk or otherwise keep it covered.
2. When staying at a hotel or resort, use the safe in the room to store valuables. If there is no safe, you may wish to request the front desk to store your valuables securely.
3. While the hotel may offer free Wi-Fi, your company policy may forbid you to connect your computer to an insecure network. Whether for work or personal use, a more secure option will be to tether to your personal phone instead.

Statutory holidays are a great time to get away and enjoy some down time. If you are not required to be on-call, perhaps consider leaving all your devices stored (securely) at home or in the office instead.  Enjoy the break!”

Remember to include a link to your organization’s relevant acceptable use policies that cover mobile devices and laptops, and reference the relevant sections.

Stay posted as I hope to share more security messages on a monthly basis. Have anything else to add?  Please post them in the comments below.