Monday, October 17, 2016

BSides Toronto 2016 - Review


The Canadian Darknet


Just this past Sunday I had the pleasure of attending the 4th annual BSides conference in Toronto.  It was a perfect day for a conference - the weather was warm, wet, and just dingy enough that we would happily sit inside a dark lecture room without a twinge of regret.  So grateful was I for the padded seats, I couldn't complain that the venue wasn't licensed for drink, on a Sunday at 9am.


Ben Hughes kicked the day off with his talk "How you actually get hacked."  We were encouraged to keep our threat models based on reality, not on TV.  Are we good at evaluating risk?  Ben reminds us that the NSA should probably not be in our threat model (unless we are google), ditto for the nation state attackers. Though my thoughts are that you probably want to keep the nation states in the threat model if you are a major utility company, a hosting provider for the electronic health record, or the operator of a major subway network.  However, point taken, most of us don't need to be concerned about being attacked by Russia, I mean China, hold on, Russia.


Next Boris Rudakov appealed to our inner Batman - using bad for good we learned how the Rootkit feature that can "hide my docs" can be used to evade ransomware itself.  Boris provided a nice demonstration and explanation for how to hide the Documents folder by loading the rootkit as a driver at boot time and defeating the kernel functions commonly used by ransomware for crawling the file directories. I'm interested to hear more about if we could, in future, be using this file hiding technique, together with randomly generated locations determined at system start-up, and white-listing applications to avoid ransomware and other malware.


Rounding off the morning Mahesh Tripunitara enlightened us on the Android approach to privilege management using capabilities instead of setuid permissions.  He presented the setuid approach in Unix and its risks, even considering the addition of fixed capabilities.  He demonstrated how Android permissions groups and confusing naming conventions are not a huge improvement over the setuid approach.  And even with fine-grained privilege management, users really ultimately have only two choices:  accept all privileges requested, or risk that your Android app won't work.


In the afternoon, Adam Greenhill and Christina Kang presented their group research project (members also included: Desiree McCarthy, and Peter Chmura, not presenting) with a very catchy name "Decryptonite."  We saw how this team, with limited time and resources, were able to quickly learn Windows internals and analyze over 80 unique families of malware to write an application capable of heuristic detection of Ransomware.  Decryptonite looks at file I/O operations and kills processes running with unusually high writes/second or encryption behaviours.  To learn more about Decryptonite, check out the open source project on github https://github.com/DecryptoniteTeam/Decryptonite


Judy Nowak presented her ideas for what is needed to integrate security incident reporting in an IT Ticketing system.  Through her research we were shown how many IT ticketing systems are incompatible with the fields needed to track security incidents.  She also had us consider some of the complexities involved, such as exposing sensitive security information to IT helpdesk, transferring tickets that are erroneously categorized, and the need to track the actual incident date vs incident reported date.  Spreadsheets are a start, but I'm thinking that these would not provide the immutability needed for a medium to large enterprises.  It was noted by a member of the audience that BMC Remedy has these features available, but if your IT ticketing system does not provide the fields you need to track security incidents, then this talk should serve for you to be a call to action - make request for improvement with your ticketing system provider, and make the world of security incident reporting and tracking a better place.


The last formal presentation was provided by the good folks from Telus ( "the future is friendly" tm)  - Milind Bhargava and Peter Desfigies.  They presented their research results on the Canadian Darknet.  This is not, as I imagined, an outlet for the sale of blackmarket goods in exchange for maple syrup. The Canadian Darknet allows for the sale of Canadian identities and other illegal or shady items, for currencies, sometime digital like bitcoin, or paid for by other stolen goods such as PayPal accounts or gift cards.  Is that kijiji advertisement by the 26 year old single female looking for someone to show her how to use the Darknet a legitimate request, or police entrapment?  I leave it for you to decide.


Thanks to everyone who presented, including those that I didn't cover in my review.  You all gave me something valuable to think about.  And the conference organizers for providing an awesome BSides Toronto 2016 event!

------
Ann-Marie Westgate is an information security consultant with Digital Logic Solutions Inc.
Follow me on Twitter @AM_Westgate
Subscribe to me on YouTube: https://www.youtube.com/channel/UCRKrOK7r4jq5M5Bawx8wnMg

Posted by at No comments:
Labels: , , , , , , ,
Location: Toronto, ON, Canada

Sunday, October 9, 2016

Acing the InfoSec Interview



When you are finally able to land that interview for the perfect job, chances are you will want to get prepared before the big interview day. You will get interview questions that are designed to find out about your past experiences.  These may be fact checking and aptitude testing, or they might be the Situation, Action, Result (SAR) type interview questions.  When all the questions are done it will be your turn to ask a couple and that is another way you can stand out in the interview.

Fact Checking Questions

These first type of questions are used to try to assess your past experience and skills with this particular job.  These might be very specific, such as "have you ever used the XYZ vulnerability scanner in your past roles?" or "how many assessments would you perform per year?"  For these specific questions it might be difficult to judge if more is required, so the best approach is to answer the question and expand a little on your role, for example in using the specific tool or what influenced the number of assessments that you did.  Keep an eye on the interviewer's body language to see if the short answer was sufficient or if they wish you to discuss further.  If you are not sure, it doesn't hurt to ask - "would you like me to tell you more about my specific duties as it relates to tool XYZ?"

Behavioural Questions - Situation, Action, Result 

Another type of interview types of question is sometimes referred to as "SAR" - situation, action and result.  Let's look at how this works:  The hiring manager asks the interviewee to describe a specific experience and outcome.  For example:  "Tell me about a time when you had to deliver a failing security report to a client.  What did you do and what was the outcome."  This is a typical SAR type question, and hopefully you have done your homework before the interview and have an answer already formulated!  Let's work through this example to see how you could answer in an information security interview:

  • Situation:  Set the scene for your chosen example "Working for customer ABC (who will remain anonymous), I performed a penetration test over the course of 10 days.  On the first day I found several critical vulnerabilities which I needed to communicate to the customer right away, and then by the end of testing there were more findings than I could list in the time allocated for reporting."
  • Action:  What did you do in this case?   "I communicated the critical findings right away, as is customary for these types of engagements and written in the SOW (Statement of Work).  As far as the failing security report goes, I summarized the findings into categories and created a report that stated the facts and included the proof of concept screen shots.  Because there were so many findings, I focused on the most critical and high findings, then provided a listing of the mediums without as many details."
  • Result:  What was the outcome.  Was it a successful outcome?  "The customer was obviously very unhappy that report has so many findings, and it was probably a bit of a wake up call.  I was very supportive, and walked through each of the findings with the customer and answered the questions to support my findings.  We were able to sell retesting services to verify the remediation."
Here are some information security specific interview questions that can be answered using the SAR approach:
  1. Did you ever have to explain an information security topic to someone who is not in the security field?   While this is asked as a yes/no question, reframe the questions to describe a scenario where you worked with a non-expert, what did you do and what was the outcome?
  2. Tell me about a time when you had to take over a security testing procedure and there were no written standard operating procedures in place.
  3. Have you ever had to respond to a security incident when you were on call?  What was the incident and what was the outcome?  Note, you should be careful not to give away too many details - it is okay to talk in generalities without giving away the specifics of the employer and their environment. 
  4. Security is often seen as an inhibitor of business being able to get projects done.  Tell me about a time when your client thought that you were impeding progress.  How did you handle it and what was the outcome?
  5. Did you ever work as a security consultant as part of a cross-functional project team.  What was your role and were you successful in the role?
There are many interview question banks online, and it is worth working though these questions with someone who can help you practice your interview skills.  Here is one example of a question bank:  https://careerservices.wayne.edu/behavioralinterviewinfo.pdf  While some of these questions are not security specific, by preparing your responses, you will begin to find them formulaic to answer and it will be easier to answer SAR questions in interviews even if they are not ones you had prepared.

Human Resource Questions

Of course, you will get questions that are more typical human resource questions.  Don't underestimate the importance of these questions which are designed to see if you are a good fit with the culture of the organization.  One questions that time-after-time candidates bomb is the question:  "Tell me about when you received negative feedback - what was it for and what did you do to improve?"  This may also be asked as simply "Tell me something about yourself where you need to improve."  The interviewer asks this questions to assess your emotional IQ, that is, how well do you really know yourself.  Everyone has faults and people with high emotional IQ have no difficulty discussing their areas of weakness and how the mechanisms they use to keep themselves in check. Here's an example for how one person might answer this question.
  • "I am, at times, excitable or passionate at work, which can be off-putting or can overwhelm other people.  So to cope with this, I keep my caffeine intake in check, and am especially cautious when attending meetings with senior management to remain calm so as to not overwhelm them with information or talk too much."
Remember, no one is expecting you to be perfect, just honest.

Final Words of Wisdom

You will get a chance to ask questions at the end of the interview.  For these questions, this is the time that you can really show that you have done your homework.  It is important to ask questions that are specific about the company, recent stories in the news - for example new initiatives or partnerships that might been published on the newswire.  I recommend leaving questions about work days, work from home, number of vacation days and the benefit package until you have an offer (most of these can be negotiated) or you may as the human resources contact who arranged the interview.  Similarly questions about training programs, and whether your employer pays for certifications can wait until you are near an offer, then you can have a call to confirm if this is part of the overall benefit package. One question which is my favorite that you can always ask at the end of the interview is "What keeps you up at night."

Be careful not to expose your previous employer's sensitive information!  You may be talking about your last employer, but in your interviewer's head they hear you talking about their company in the same way.  Will you be slagging them off too in a couple of years?  Be careful not to say anything disrespectful about your previous place of employment, your boss, or your colleagues there.  Security is a small world where you will find colleagues that you will know and work with for years to come.

As we continue to hear of the skills shortage in information security, you may find yourself at the interview table, either to start your new career or to make a change in this highly fluid and dynamic environment.  Many of the interview skills you will need can be practiced and mastered with sufficient preparation.  So grab a buddy (or a video camera) and a notebook to begin practicing your interview questions and responses.  Prepare now to score your next great opportunity!

Do you have sample questions for InfoSec interviews?  Share them in the comments section below.

Posted by at 2 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)