Posts tagged ‘SANS’

« Previous Entries

Scanning External Drives on Connection

January 7, 2012, 11:53 pm

Over on Symantec Connect (the Symantec support forum), I frequently see people ask about the ability to automatically scan a removable drive when it is connected to a system.   They also submit it as an “idea”.   The Idea section is where you can make product suggestions that users can discuss and vote up or down.

I often wonder where this idea comes from because it seems like a particularly bad idea.   It seems like someone decided that was the only way to solve the problem of USB based malware like conficker.   That isn’t the case and it can be very inconvenient.

If I connect a 1 Gb drive to the system do I really want to wait while Symantec Endpoint Protection scans the full hard drive?   I dont think so.   Endpoint Protection can disable autorun solving 80% of the malware problem, and real-time scanning will still scan files as they are actually used.

Like most bad ideas this requirement comes from hardening guides and auditors.  I was reading the Critical Security Controls and found the following:

Quick wins: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

As I said, I think a full drive scan is completely unwarranted.   Do any other antimalware products have this capability?

Tags: , ,
Category: Antivirus  |  Comment

Glass Houses, SANS and Bit.ly

July 30, 2011, 6:57 pm

SANS has a blog post relating an anecdote about malicious links on a Facebook wall.   The author said “As for Bitly - I would use extreme caution with any links identified as source bitlyDOTcom.”   I laughed because the SANS handlers are typically against links.   They want you to browse with Firefox and NoScript.   Always use a bookmark that you have verified, and you might just want to SHA1 the bookmark to make sure no one has tampered with it.   I’m only exaggerating slightly.   I only mention that as background information.

What was funny in this case is the ShareThis plugin at isc.sans.edu uses bit.ly when you use their button to compose a tweet.   Even better than this, @sans_isc tweeted a link to this post using, guess what, bit.ly.   (Twitter does provide the real URL when you mouse over the link, but I still find it funny.

 

 

 

 

Tags: ,
Category: General  |  1 Comment

Flash 10.3.181.34

June 30, 2011, 7:43 pm

SANS posted a one-liner today reporting that Flash 10.3.181.34  was available for download from Adobe.   This wasn’t entirely unexpected because Google released a new version of Chrome on June 30th which contained a new version of Flash.   Adobe seems to be releasing new Flash versions to the rest of us a couple days after Chrome.  

Adobe has not released a security bulletin.   This seems to be more a bug fix release.   The release notes describe this release as “addressing compatibility issues with some content using cross-domain policy files.”

Patch deployers can back off the ledge for now.   No huge reason to deploy this one if you aren’t having this issue.

Tags: , , ,
Category: General  |  Comment

GSE Multiple Choice Exam

January 10, 2011, 3:57 pm

I passed the first part of the GSE today.  The GIAC Security Expert (GSE) consists of  a  multiple choice exam, this is what I passed today, and a two-day lab. 

The certification bulletin for the exam portion of the GSE is a bit light.   I’m not sure that page is actually linked anywhere.   It is missing the number of questions (150), passing score (75%) and length of time allowed (3 hours).     The exam bulletin lists the prerequisite certifications (GSEC, GCIH and GCIA) as the test objectives.  I would suggest looking at the exam bulletin for each of those quite carefully.   Consider these certifications your practice tests.   There are no GSE practice tests.  

In preparing, one of the first things I did was re-read Preparing for the GSE.  Kevin Bong’s advice on preparing for the multiple choice exam applies to all GIAC tests.   If you’re smart you’ll follow this advice on all certs and not have to redo the indexes.   I don’t follow his advice exactly.

When preparing, the first thing I do is create an Excel doc and create headers for Term, Book, Page, and definition.   Under cell formating, you’ll want to enable word wrap on the term and definition columns.   The page column needs to be treated as text if you have any old style SANS books that number using the section-page method (e.g. 2-35).   Otherwise Excel will think you’re entering a formula.

I next go through the book page by page, entering terms and key concepts.   I use the definition field as much as possible so during the test, I may quickly be able to gather the answer without opening the book.

After I’ve made it through all the books, I’ll review the test goals in the certification bulletin.   In the case of the GSE, that would be the certification bulletins for the GSEC, GCIH and GCIA.   Review each item and make sure it is covered in your glossary.   If you did a good job, you shouldn’t have to add too many things to the glossary/index.   The last thing you do before the test is sort into alphabetical order and print (preferably doublesided and stapled)

Depending on the course and the age of your books, you may not have a table of contents.   I have books with no table of contents, table of contents that are wrong, and table of contents without page numbers.   Take the time to create your own table of contents.   If you get a question you don’t know, and it’s not in your index, then you’ll be able to find the correct section that much more easily.  

Next I printed all of the SANS Cheat Sheets I could find: Netcat Cheat Sheet by Ed Skoudis, Google Hacking and Defense Cheat Sheet, Intrusion Discovery Cheat Sheets for Linux and Windows, IPv6 TCP/IP and tcp dump Pocket Reference Guide, Windows Command Line Cheat Sheet by Ed Skoudis, Misc Tools Cheat Sheet by Ed Skoudis, TCP/IP AND tcpdump Pocket Reference Guide .

I printed out the wikipedia page for the SIP protocol and the MAN pages for SNORT, netcat, syslogd, tcpdump.   I also printed out the headers spreadsheet from Mike Poor.   I also had the Nmap Network Scanning book by Fyodor but that is abit of overkill.

Where I take the exams they tend to not lump SANS test takers in with genpop.   I guess they’ve had experiences with us flipping through the book and disturbing other people.    So instead of taking the test in a cubicle, we take them at a L shaped desk.   Plenty of room to organize the open-book portion of the exam.   The limitation on the amount of things you can bring in remains the same.   This can be kind of rough because the test is drawn from 3 courses.   I found the SANS bookbag to hold a good amount of things, and I think it falls under the “bookbag” size limit.  

So that’s it for part one.   The next GSE lab is scheduled for Orlando at the end of March.

Tags: , , ,
Category: General  |  8 Comments

Passed the GSEC

October 25, 2010, 2:02 pm

I passed the GSEC (GIAC Security Essentials Certification) this morning.   It is a multiple choice format test with 180 questions. 

I had been considering taking Security Essentials at SANS CDI in Washington DC.   On the one hand, at this point in my career shouldn’t I be able to pass this certification without the conference.   On the other hand, there are always things you don’t know and it would be nice to take another course with Eric Cole.   SANS has a 50 question test to determine if you are ready for the course or if you don’t need the course.   I scored well enough that I decided to challenge the exam.   Challenging a SANS exam means instead of taking the conference, or purchasing the self-study option, you pay to take the exam and you get two practice exams.  You don’t get the workbooks when you challenge an exam.

Without the SEC-401 books, I looked at other ways to make sure I got the score I wanted.   The most help was my SANS CISSP+S workbooks.   In 2005, I took SANS version of a CISSP prep course.   I highly recommend that course for the CISSP.   While it is the one SANS conference track focused on helping you pass a certification, it also tries to give you knowledge that is applicable to work.   There is significant overlap between the CISSP and GSEC so those workbooks came in handy.  

I also purchased GSEC: The How to Pass on your First Try Certification Study Guide by William Manning.   As it says on the first page, the book is not intended to replace the SANS workbooks.   I was hoping to use it as a reference but I found it lacking even for that.   The built-in index isn’t very good.   It give you page numbers where the term was used, so its hard to find the one page where it was really defined well.   You’ll need to build your own index for the exam.   I also found the book completely lacking in its coverage of Windows Linux and VOIP.   If you do insist on buying this, both the first and second edition are available on Amazon.   Make sure you get the updated version.

I went after the GSEC because it’s a prerequisite for the GSE.   I’ve seen others complain about that.   “Why have to get a lower level certification when you’ve completed a higher level certification.”    SANS response is that the Unix and Windows components of the GSEC make it unique.   They do offer an alternative of taking the Unix and Windows certifications separately.   What I find kind of funny is the SANS Cyber-Guardian program has a prerequisite of a GSEC but a CISSP can be substituted in that program.   (Although the Cyber-Guardians must attempt a GSE so I guess a GSEC really is required)

Tags: , ,
Category: General  |  Comment

Step Back I’m Certified – GCIA

June 18, 2010, 3:58 pm

Today I passed the GIAC Certified Intrusion Analyst (GCIA).  The blog title refers to a Dilbert strip that I keep on the wall with my certifications.   As I recall Certification Man says to Dilbert “Step back from that server, I’m certified!”  In the next panel he says, “funny, that’s all I recall from the certification classes”.  

The GCIA is the certification associated with the SANS Security 503 course “Intrusion Detection in Depth” that I took in April.   

I think getting the certification is something tangible for management to  show the training is worthwhile.  Other than that, it doesn’t mean much unless you’re looking for another job.  

I’ve worked with ISS RealSecure and some Cisco IDSM-2 modules.   I was interested in learning a bit about Snort.   Also the GCIA is a prerequesite for the GSE.

Tags: , ,
Category: General  |  3 Comments

SPF Usefulness

May 31, 2010, 9:36 pm

The SANS ISC Handler Diary is asking for your experiences with SPF. Its funny timing because i just configured SPF for my domains last night. I’d been using SPF records previously, but when I left PowWeb for Dreamhost (which changed my authoritative DNS server) I didn’t set up SPF again.

I’m using Google as the mail server for my personal domains. Configuring SPF for google is pretty easy. Just create a txt record for v=spf1 include:_spf.google.com ~all. Like most SPF implementations, they recommend you use “~all” which tells the remote server the list of authoritative servers is merely information and not to reject mail based on this alone. I kind of wonder what use that is. But it seems to take more guts to use a “-all”.

To me, SPF is not exceptionally useful. It just seems like the only thing you can do to prevent yourself from being Joe Jobbed. Sadly through the years remote mail servers are more likely to allow backscatter than use SPF.
At the same time, its never shot me in the foot. ~all instead of -all is probably to thank. I have seen Hotmail headers that indicated that if I was using -all they would have blocked me. They just had a screwed up implementation that couldn’t handle “include” statements in SPF records. SPF is not well liked by *nix folk. It breaks .forward. It breakes mailing lists that send as the message poster.

Tags: , , ,
Category: Spam  |  Comment

Information Security Restrooms

April 14, 2010, 12:47 pm

I was at a SANS conference in Reston this past week and did a double take on seeing the following.
infosecrestroom.jpg
I dont normally go to Reston Town Center, but given the number of infosec people working in the area I imagine the jokes are all pretty much done.
What is an information security restroom?
If Larry Craig had used a infosec restroom would he still be a Senator?
Is this restroom ISO27001 certified?
How does this restroom support confidentiality?
How does this restroom support integrity?
How does this restroom support availability?
Is it susceptible to a denial of service attack?
Principle of non-repudiation (he who smelt it dealt it)
Is there a Intrusion Prevention System?
Core dump analysis?
I better stop now.

Tags:
Category: General  |  Comment

BitLocker vs Third Party FDE

March 30, 2010, 9:59 am

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product.

This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was better because:
1. Better Management tools
2. Mature product
3. Multiple OS support
4. No requirement for TPM.

BitLocker is no longer a first gen product. Let’s look at today’s reasons for purchasing or continuing to use a third-party FDE product.
BitLocker Minimum Requirements
“BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have either a computer with a Trusted Platform Module (TPM) or a removable USB memory device.”
USB memory devices would tend to be stored in the laptop bag, so that isn’t a secure solution.
TPMs are an additional thing to manage. Perhaps it’s not as difficult as I envision. When I did a WAVE eval, I had to go into the BIOS to enable the TPM and set a master TPM password. That doesn’t scale.
“The computer must have been configured with an additional separate active partition to be used as a system partition.”
This extra step now happens automatically, so I don’t think that is a big deal.
“The BIOS must be compatible with TPM and/or support usb devices during computer startup”
It may be necessary to upgrade the BIOS. While probably not an issue on the newer computers we would be using, this could be an issue on upgrades in place.
None of these prerequisite requirements is particularly burdensome. However it leaves out one key minimum requirement: Vista or Windows 7 Enterprise. Our XP systems would still be on the current FDE product requiring two management methods.

OTHER BitLocker Considerations
1. Provable Encryption
With the current FDE product, if a computer is lost I would be able to tell that it was actually encrypted when it was last seen on $date $time. Can BitLocker say the same? I don’t know.
Many states have an encryption safe harbor. Meaning if the lost system was provably encrypted, breach notification provisions do not apply.
2. Usability
The current FDE product syncs the domain password to the pre-boot environment. The user does not need to know a second password. The normal password requirements apply.
With BitLocker the PIN is just that. An enhanced PIN can be required but it is possible that some system BIOS will not support alphanumeric entry in the pre-boot environment. Does this PIN ever expire? It doesn’t seem like it.
3. Recoverability
The standard recovery method is to use a recovery password. This is a 48 digit number backed up to Active Directory. Enjoy typing that in when the user forgets their password.
This method is not FIPS compliant and must be disabled. Instead there are other two options
A recovery key is a 256 bit key that is saved to a flash drive. This method must be done by the end-user and they need to store the key securely. Obviously that isn’t enterprise ready.
The third option is a data recovery agent. A public key is distributed to all BitLocker protected devices. Someone with the matching private key (e.g. me) would need to be physically present at the computer. Apparently even then the OS drive must be installed on another computer running Windows 7 as a data drive.
So basically no recovery options work for us.
4. Standby
BitLocker protection is in effect only when the computer is turned off or in hibernation.
Our current FDE product protects in standby, hibernation or when the computer is off.
Update:This is is no longer true.   a preboot authentication in standby is a false sense of security.
5. Enterprise Manageability
While BitLocker has caught up with third-party encryption products in its ability to encrypt USB drives there are still other areas where FDE vender’s shine. Many FDE vender’s can also encrypt phones and managed hardware based encryption products. It’s a lot more convenient to manage these devices through one vendor.
From my limited reading it seems that there are still a number of items that argue for the continued use of a non-Microsoft FDE product.

Tags: , , , ,
Category: FDE, Microsoft  |  4 Comments

Dumb Ideas in Pentesting

February 22, 2010, 12:22 pm

Today’s SANS Diary reminded me of something that happened a while back.
The SANS entry New Risks in Penetration Testing was concerned that reputation scoring for an IP could be effected by pen testing from that IP address. I guess someone is taking the old Senderbase concept and applying it to all traffic.
The helpdesk received an issue a while back about an inability to communicate with a government website. After checking it out, it looked like they were blocking our external IP. We communicated with the government people and confirmed that their ISS IPS appliance had automatically blocked our IP because we were attacking them. I checked the logs and found that one of our people who pentests for a living had done some probing of XSS on a WordPress blog hosted on the government site. I turned that over to someone else to find out if he had authorization to be doing such.
Probing other companies from your companies main IP address is not such a good idea.

Tags:
Category: Uncategorized  |  Comment
« Previous Entries