You can't secure what you don't acknowledge.SM

Monday, January 25, 2016

LUCY - a very powerful email phishing tool

If you're an IT or information security professional you need to know about a great - and relatively new - tool that you can use as part of your security assessment and/or user awareness and training's called LUCY. I came across a small online blurb about LUCY a few months ago and thought I would check it out. Having dealt with both open source and commercial email phishing tools that have either gone kaput or the vendors have no interest in serving an independent consultant like myself, it looked like LUCY might be just what I needed. It is.  

Available as a virtual machine download or an application running in the cloud, LUCY supports traditional email phishing campaigns but it goes several steps further by supporting SMiShing (SMS phishing), the simulation of malware attacks, Word macros, and it has a bunch of other features. LUCY's reporting capabilities are nice as well. The following is a sample of one page of the LUCY Web interface and you can see more for yourself here.

Before I discovered LUCY, I was seriously considering hiring a developer to write my own email phishing tool. I'm glad I didn't because I would have missed a whole lot of features that I never would've thought about. I'm also confident that I would've ended up getting in over my head with such a project. That's the great thing about working in this industry – I get to rely on the brainpower, findings, and products of all of the researchers and developers who are way smarter than me.

LUCY's feature set is nice but, to me, the best part is the support that I have received from its Swiss-based creator, Oliver Münchow. Oliver was very responsive and extremely patient with me as I got my environment up and running. In fact, I bugged him with so many DNS/SMTP configuration and user workflow questions (when, in many cases, I should've read the fine manual) he told me that he obviously needs to make some tweaks to the documentation and the functionality of the program. :-) He already has. Pretty cool.

Studies from Verizon, Trustwave, and others all show that social engineering via email phishing is one of the most popular attacks. It's just too simple and too effective. Many (most?) businesses today are making it too easy for criminal hackers to carry out their malicious acts for ill-gotten gains. I've been doing this type of work more and more as part of my overall security assessment projects and the results are pretty scary. If you're not doing email phishing testing, you can't honestly say that you're looking at everything - testing for all possible vulnerabilities - in your environment.

Whether you work for someone else or for yourself, you should check out LUCY if you're in need of simple to use, yet powerful, email phishing and security awareness/training campaign capabilities that you can get up and running almost immediately. Minimal technical expertise is required. Maximum value is pretty much guaranteed. 

You can check out more about social engineering and email phishing (tips, tools, and techniques) in the brand-new 5th edition of my book, Hacking For Dummies.

Wednesday, January 20, 2016

Worst passwords (on your network right now)

The fifth-annual Worst Passwords List put out by SplashData is here and the findings aren't terribly surprising. Here are the top five:

#1: 123456
#2: password
#3: 12345
#4: 12345678
#5: qwerty
Good stuff! What's that quote about insanity? 

One of those security basics that we'll likely continue to ignore until the end of time. That's alright, as some of the best sideline analysts will proclaim: we need not focus on such trivial things. Well, they have a point. After all, there are really cool technologies people can spend tons of money on instead. It's that kind of investment that makes it look like things are happening in and around IT!

Thursday, January 14, 2016

Hacking For Dummies, 5th edition - Brand new and more of what it oughta be

It's official - the 5th edition of my book Hacking For Dummies is out!

Outside of the first edition that was written 13 years ago, this new edition has, by far, the most updates and improvements yet. All based on the mistakes I make and the things I learn in my hands-on work performing independent security vulnerability assessments and penetration tests, I feel like Hacking For Dummies has come of age.

In this new edition, I have added in new security checks and tools (i.e. Kali Linux) for many of the chapters. I've sprinkled in some more coverage on the cloud where necessary as well as updates on security testing methodologies. I also provide links to more (and more current) tools and resources in the appendix. I cover Windows 10 and even some of the latest security controls in Android Lollipop and M as well as iOS 9. I also have a new section on the Internet of Things.

Perhaps most importantly, I've eliminated a lot of the preachiness and references to "ethical" hacking and "hackers" and, instead, have put things more in terms of IT security professionals and security testing programs...It's security vulnerability assessments and penetration testing as it should be.

From the get-go, my goal with this book was not to cover every single niche hack that comes out - I'm not that smart and certainly don't have enough time (or pages) to do so. Instead, my goal is to hit the important areas that are getting so many enterprises into trouble (i.e. the low-hanging
fruit) as well as to outline the security assessment process from start to finish, i.e. planning things out, understanding the mindset and methodologies all the way through the testing and then follow-up,
including keeping management on board. I'm not aware of any other book that does this and believe that's where the real value in all of this is.

Thanks a ton to Amy and Katie at Wiley for helping making this book happen, long-time friend, Peter Davis, for his most excellent technical edits, and for well-respected IT/security veteran, Richard Stiennon, for writing the new foreword. I couldn't have done it without your efforts and insight!

A LOT of sweat equity among many people has gone into Hacking For Dummies, 5th edition. I hope you'll check it out! I really think you'll like it.

Tuesday, June 23, 2015

HIPAA Security Rule compliance tips, advice, and resources

There's a lot going on in the world of healthcare, including HIPAA compliance. This applies not only to healthcare providers, insurance companies, and the like but also any business and subcontractor that does business in this space.

If you or someone you know falls under this umbrella, here are a few things I've written over the past several months that can help:

What Security Professionals Need to Know about HIPAA

‘Yes, HIPAA Applies to YOUR Business!’

Understanding Your Level of HIPAA Risk, the Right Way

Common Sense Incident Response for HIPAA
(guest blog posts I wrote for Bit9)

Sensible HIPAA Security Compliance for Business Associates & Subcontractors
(webcast containing information that every HIPAA business associate needs to know)

(whitepaper containing information on the history of HIPAA security compliance, what HIPAA is really about, minimizing the impact of a HIPAA security breach, and maintaining a state of reasonable HIPAA compliance)

And, last but not least, my freshly-updated HIPAA book:
HIPAA security privacy compliance book 
Be sure to check out my other IT security compliance resources on my website as well. Enjoy!

Thursday, June 11, 2015

Great quote regarding people who are unable/unwilling to change

Here's an excellent quote about business execs I just came across from management expert, Peter Drucker. It could certainly apply to IT and security professionals just the same:

"The most common cause of executive failure is inability or unwillingness to change with the demands of a new position. The executive who keeps on doing what he has done successfully before is almost bound to fail." other words, if you keep doing what you're doing, you're going to keep getting what you've gotten.

Friday, May 29, 2015

What you (really) need to know about esophageal manometry

Aside from my typical computer security-related blog posts I thought I’d branch out and share something completely unrelated in hopes it can benefit others.

Recently, I had the opportunity to endure the most difficult thing I’ve ever experienced as a forty-something male: esophageal manometry. It’s performed on patients suffering from gastroesophageal reflux disease (GERD). In short, the medical professional sticks one of these ~1/2" thick torture tubes up one of your nostrils and all the way down to the entry point of your stomach...a medical procedure undoubtedly similar to pre-1800’s era surgeries: awful, seemingly inhumane, and without anesthesia.

This is my story – details I feel that others who are about to experience an esophageal manometry may want to know...

Had I known that:
• The procedure costs over $10,000, I would’ve prepared myself mentally for the 30+ percent co-pay I was going to have to put on my credit card not 15 minutes before getting started. Perhaps this threw off my state of mind a bit…

• Breathing techniques (à la Lamaze during child birth) are so important, I would’ve practiced them a lot more.

• I wasn’t going to get the nose/throat numbing gel like I read about on various websites and saw on YouTube during my initial research, I would’ve prepared myself better (mentally) and not asked about it before we began. I think this tripped me up mentally as well.

• It was going to be such an intense mind-over-matter situation, I would’ve have had more of my favorite music (that serves as a great distraction/motivator) queued up on my phone rather than have to look it up and play it as the procedure was starting.

• My sinus issues (brought on, in large part, by GERD) were going to make me want to clear my throat during the procedure, I would’ve practiced not clearing my throat. Ditto for swallowing. Every time I swallowed when I wasn’t supposed to (outside of the procedure's 20 measured liquid/gel swallows), it negated the previous swallow. It took me 20+ minutes of failed attempts before I realized the importance of a strong start makes for quicker finish with this procedure.

• The procedure is performed not only to determine motility when swallowing (how your esophagus works food/liquid downwards toward your stomach) but also to provide information on how tight/loose a surgeon needs to make things in any follow-up fundoplication surgery, I likely would’ve used that as motivation to tough things out a bit more.

• Just how trying it was going to be, I would’ve brought my wife along with me to be by my side. Luckily there were two nurses performing my procedure – one was in training and the other was there to guide the trainee and, just as importantly, hold my hand and assure me that everything was going to be okay.

• My gastroenterologist was going to later admit that it’s common practice to not tell patients how challenging the procedure is, I would’ve given it a second thought.

I’m not the toughest of guys when it comes to pain, medical procedures, and related human experiences. Overall, I’m glad I did it. If anything, my esophageal manometry made me a stronger and more resilient person who better realizes just how fragile and vulnerable we are as human beings.

Everyone’s mileage will no doubt vary with esophageal manometry. Still, as was my experience, information such as this is hard to come by. I’m all for having my expectations properly set…they certainly weren’t for this procedure.

I hope this helps someone out there somewhere. You can do it. Knowing what I now know, and especially what I learned, I could do it again as well if I had to.

Wednesday, April 15, 2015

Don't get blinded by the "small stuff" that's hard to notice

One of the core challenges you face in information security is getting so caught up in the minutiae of your network environment and day-to-day work that you end up not being able to see the bigger picture: what's really going on, what really needs attention, and what really matters. I've been writing about this for over a decade and I've yet to stop spreading the's just too important a topic to ignore.

Not seeing the forest through the trees impacted me and my family recently. It's about our dog, Lady. As you can see, Lady was a beautiful girl who was also smart, loyal, and a determined guard dog, weighing over 50 pounds in her prime. As Lady grew older, she had health problems that we were aware of, yet didn't fully understand. These issues started several years ago when she was diagnosed with a spinal problem that affected her ability to walk/run and stay balanced - something called degenerative myelopathy. Thanks, in large part, to the Help'EmUp dog harness, we learned to manage this condition. It just became part our daily routine.

Then dementia set in. Lady's behavior was marked by endless pacing around the house, not connecting with us mentally/spiritually/emotionally like dogs do with their families, and a slowly diminishing appetite. We knew the problems were there but didn't "get" how bad they were becoming...In recent months, everything started moving very quickly. After witnessing her immobility and dementia getting worse and worse, along with some great guidance from my friend and fellow racer, Dr. Alan Cross, we knew it was her time.

Here's the shocker: once we took took Lady to the vet to end her suffering, we realized that she had lost 15 pounds from her peak...! We had no clue it had gotten that bad. Sure, we knew she wasn't well and was looking skinny, but we certainly weren't prepared to hear that she had lost nearly a third of her body weight in such a short period. Any doubts about what we were doing vanished when we learned this. We felt badly, yet blessed. Lady is now in a better place. God bless her soul.

I wanted to share this story with you because being blinded by what's going on under your very nose can (and will) impact you if you're not careful - especially in information security. Don't let security problems sneak up on you to the point where someone else (i.e. a criminal hacker or rogue insider with ill intent) shows you how bad they really are. It happens to the best of them and it can happen to you. Be proactive. Know the facts. Do something about your weaknesses sooner as opposed to later.

Lady, you're dearly missed. Cheers to having wonderful pets that make a difference in our lives!

Tuesday, April 7, 2015

A core reason why security challenges go unresolved

Constantly dealing with information security issues in your organization? It's really about dealing with management, peers, and subordinates. Here's some motivation:

"The ability to deal with people is as purchasable a commodity as sugar of coffee, and I will pay more for that ability than for any other under the sun." -John D. Rockefeller

If you're in search of other ideas on how to get (and keep) people on board with security, here are some pieces I've written on the subject.

Tuesday, March 10, 2015

Using Checkmarx CxSuite to outline "the rest of the story" regarding application security

When it comes to Web application and mobile app security, can you honestly say you know where everything American radio personality Paul Harvey used to proclaim -  the rest of the story?
You can run Web vulnerability scans, perform manual mobile app analysis, and the most in-depth penetration testing possible. You can look at things from the perspectives of unauthenticated attackers, trusted users, and all the angles in between using Web proxies, forensics tools, and network analyzers. Still, that's not everything.

You haven't looked at the entire picture if you haven't looked at your application's source code using an automated source code analyzer such as Checkmarx's CxSuite. Why? Source code analysis helps paint the entire picture of where your applications are vulnerable and how they might stand up - and fall down - against the threats they face.
Note that I emphasize "automated" source analysis because no security professional of value has time to perform manual analysis on all the applications that matter.
The following screenshot of CxSuite shows the summary findings in an Android mobile app:

Interestingly, here are the findings in the same app written in Objective C for the super secure iOS platform:

There are a dozen more low-priority findings that you can't see in this screenshot. These differences in Android and iOS code are reason enough to perform source code analysis...

The CxSuite report shows prioritized findings (to be reviewed and re-prioritized by you as necessary) as well as source code examples so developers can understand how to fix the issues.

If you're an IT administrator, security manager, compliance auditor, developer, or consultant responsible for finding weaknesses in your organization's (or your client's) Web applications and mobile apps, you really need to look at the source code...eventually. And by "eventually" I mean at some point in the next year. Not the next five years. Not when you get around to it. If you don't, odds are good that someone else will find the flaws for you and try to make you look bad. Then what's it going to cost? Ten, twenty, many a thousand times more than it would've cost to perform the proper testing in the first place.

Don't end up here or fall into the group of people who find out about vulnerabilities and breaches from third parties that we keep hearing about. Perform a proper automated source code analysis soon and do it periodically. There are several source code analyzer options. Whether you're super technical or you're not, of the source code analyzers I've used over the years, I've found CxSuite to be a great option. 
In a future post I'll walk you through the steps required to perform a typical source code analysis. It's much easier than most people think.

Monday, February 9, 2015

Back to basics in information security? Proven year after year but (apparently) unattainable for many.

I'm often wrong about many things in life...just ask my wife. However, I'm feeling a bit vindicated regarding my long-standing approach to information security: address the basics, minimize your risks.

You see, more and more research is backing up what I've been saying for over a decade. It what was uncovered in the new Cisco 2015 Annual Security Report. [i.e. "Less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches."...among many other things.]

The new Online Trust Alliance report found the same things.

CyActive had similar findings as well in their new study. ["Some of the worst attacks of this year could have been avoided, saving companies, governments and consumers millions of dollars" ... "Unfortunately, reactive defense remains the common denominator today, despite the overwhelming evidence of reused and recycled components seen in the most notorious attacks."]

The brand-new Trustwave State of Risk Report backs up this reality, and does so every year. [i.e. "60% run external vulnerability scans on critical systems (third-party hosted) less frequently than every quarter. Meanwhile, 18% never perform penetration tests." I'll venture to guess that 80+ percent of organizations are not looking at all of their systems that count...]

The same goes for the Verizon Data Breach Investigations Report.

Ditto for the Chronology of Data Breaches...on a daily basis.

These results combined with what I see in my work and I'm even more convinced that if we focused on the basic principles of information security such as the ones I listed here six years ago, what I wrote for in 2004, many of the concepts we learn during CISSP training...not to mention the ones listed in these two publications:

What gives!? What's it going to take to fix our security problems?

No thanks, Øbama, we don't need your approach to continued government growth that'll fix information security no more than your "healthcare" law has fixed healthcare.

I'm not convinced we need a federal data breach law, either (thanks anyway, American Bankers Association). I believe we have enough laws on the books for now...

What we're seeing in information security (i.e. people who ignore the basics and end up perplexed by why bad things keep happening) is not unlike what society does with social issues. Every generation has their own ideas on how to fix the world's ills (namely passing more laws and redistributing more wealth) but we're still not focusing the essentials that have proven to work across generations (i.e. free markets, lower taxes/regulation, coaching people to believe in themselves, etc.) and, thus, the problems continue.

As Jim Rohn once said: Success is easy, but so is neglect.

The title of this recent SC Magazine piece on the subject says we need a new approach. I respectfully disagree. We need discipline.

What we need to fix the security challenges we face are people willing to stop buying into the hype brought forth by vendors and analysts, especially those who stand to make money off of their shiny new products or services - not to mention the self-proclaimed security ninjas and cyber warriors who know everything about security, in their own minds. We then need these people to acknowledge that merely 20 percent of their security vulnerabilities are creating 80 percent of their problems. Finally, we need people who are willing to be leaders and step up do something about these weaknesses....

Otherwise, step aside and let someone else do what needs to be done.

I know it's not that difficult. I see plenty of organizations who are successful in security. The problem is that most are not.

As Ayn Rand, author of Atlas Shrugged said, You can avoid reality, but you cannot avoid the consequences of avoiding reality. The time to start recognizing history and learning from other people's woes is now. Use your power of choice...Don't be a dodger. Confront the issue, fix it, and get this behind you once and for all.