You can't secure what you don't acknowledge.SM

Monday, December 5, 2016

Using NowSecure for automated mobile app testing

As an independent information security consultant, I'm always looking for good testing tools to rely on for my work. These tools, such as vulnerability scanners, network analyzers/proxies, and related manual analysis tools, are not the be-all-end-all answer for uncovering security weaknesses, but they are a very important aspect of what I do. Be it more generic vulnerability scans, a targeted penetration test, or a broader, more in-depth, security assessment, I simply don't have the time or brainpower to forgo using good tools.

In the interest of working smarter and not harder, there's a neat tool called NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.

You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:

Additional information regarding the mobile app's functionality is provided including:
  • Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)   
  • Behavioral events of specific app methods that are run along with timestamps
  • URLs listed in the source code and files contained in the archive package
NowSecure provides an interesting and refreshing approach to security testing. I had someone contact me years ago asking if I had a way to automated the process of testing numerous mobile apps. I didn't and wish I would have - or at least wish NowSecure current platform would've been around then! Mobile app security testing is (still) a big and underserved market to say the least. This type of tool can help take some pain out of the mobile app security assessment process.  Some people out there may be good enough to do manual testing of every computer, web application, and mobile app that's thrown their way. However, odds are these folks are not getting a lot done or providing much value to their employers, customers, or even themselves.

There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.

Thursday, November 17, 2016

Careers in information security, dealing with ransomware, and more

With the field information security as popular as ever, I thought this would be a good time to share some pieces I've written on breaking into the field along with a few more on information security leadership. Oh, and I've thrown in a couple of pieces and a webcast on ransomware since that's a big deal these days. Enjoy!

10 Tips for Breaking into the Infosec Field 

What type of organization needs a CISSP on staff?

The important distinction between security facts and security problems

Why System Administrators are so Crucial to Security

The side-effects of miscommunication between IT and security pros

Security mistakes executives make

CEO Spoofing - Don't get fooled

Five ways to prevent a ransomware infection through network security 

Ransomware, Social Engineering and Human Error: What could go wrong?

As always, be sure to check out all of my other information security articles, webcast, etc. on my website

Wednesday, September 21, 2016

Join me along with ISACA and TechTarget today to learn about how to advance your infosec career!

 Kevin Beaver professional speaker keynote
I'm happy to announce that I'll be joining ISACA and TechTarget for their annual online security seminar - a day-long learning event for IT and information security professionals.  My session this afternoon, which starts at 3:30pm ET, will be I Can Do versus I Have Done...Certification, Experience, and the Information Security Career Path.

You can register by clicking the image or via this link:  

I hope to "see" you there!

Monday, September 19, 2016

People Behaving Badly and information security's tie-in

Last week, I had the opportunity to travel to the Bay Area in California to record an information security video (thanks Intel and TechTarget!). Of course, I couldn't travel across the country and not see the sights of San Francisco. A most excellent highlight of the trip was for my son and I to meet television and social media celebrity, Stanley Roberts. My son is a huge fan of Stanley's, has learned a ton from him (me too!), and was over the moon-excited to be able to meet him in person.

I wanted to share with you Stanley's videos (a really good "best of" is below) and how his work relates to what we do for a living. Stanley catching people in the act of doing bad things intentionally, or perhaps through ignorance, is the very thing that drives the field of information security today. It's the essence of my previous blog post from today and my whole shtick about if we just addressed the basics of security (followed the core best practices and rules) we wouldn't  experience the consequences.

Stanley, we need to figure out how to do something on "people behaving badly with computers"!

Check out Stanley's YouTube channel or, if you're in the Bay Area, KRON 4 News...I think you'll enjoy it. If anything, beyond the laughs, you'll see that crazy human behavior is across the board in all aspects of life, not just in IT and security.

What, exactly, is reasonable security? The state of California knows!

With all that's happening in the world of information security, it seems that there's never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules - and guidance - around every corner. Oddly enough the breaches keep occurring. As if what we've been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who stand to benefit from such power, believe we need more regulations. Some are even attempting to rebrand information security as "cybersecurity" which only serves to create another layer of complexity and hurt our cause long-term.

Presumably, more regulations will clarify what "reasonable security" means. I disagree. The core information security essentials that we need to follow in order to be secure have been around for decades. Yet people think we need more guidance, more rules, more control. It's the mindset that many have toward fixing government schools: don't address the real problems, just throw more money at things and the challenges should go away soon. If things were only that simple!

If we're going to address information security reasonably, we don't need more regulations...what we need is discipline. The discipline to execute the security essentials over and over again, no matter how boring, how repetitive, and how politically inconvenient they are. I love what Kamala Harris, Attorney General for the state of California wrote in her 2016 California Data Breach Report:

The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

Folks, it's as simple as that...Ignoring the problem won't make it go away. Unless and until we address the core security practices - practices that have been proven to work time and again - we'll continue to struggle. So, what's it going to be?

Wednesday, August 24, 2016

A WordPress security resource for you: WP Security Audit Log

WordPress has had its fair share of security flaws over the years. Arguably more than any other mainstream platform. A quick search of 'wordpress' at the National Vulnerability Database returns over 1,100 published vulnerabilities as old as 2004 and several as recent as this month. Despite all of the security issues, WordPress is a highly-popular platform for businesses and individuals alike to create their online presence.

There are a lot of plug-ins and related resources to help with WordPress resources but there's one that I'm familiar with that you might want to check out. They're available through WP White Security - a company run by my colleague and web security expert Robert Abela. He not only offers WordPress security consulting services around hardening, malware removal, and the like but more importantly (from a proactive security point-of-view at least) plug-ins that you can use to lock down your web presence and keep it in check called WP Security Audit Log.

I've been thinking of using WordPress to host a website but I've held off because of the security flaws that come with it if it's not proactively maintained and monitored. Tools such as WP Security Audit Log are the only way to go outside of a managed security service to ensure your website is not exploited for ill-gotten gains. If you host your own WordPress website and you're not a technical person, then something like this is an absolute no-brainer. I've been telling Robert for a couple of years now that I was going to write a blog post to share his offerings with my audience. I'm guessing I could've helped prevent untold exploits and breaches had I done it sooner! I hope you find it beneficial nonetheless.

One final thing - another good practice that's often required by law or contract - if anything, common sense - is to run periodic web vulnerability scans to check for common vulnerabilities that can create problems for your website and, ultimately, your business. Better to be safe than sorry...

Tuesday, June 28, 2016

Email phishing expertise: Lack of skills or just a lackadaisical approach to security?

I can't think of any current security test that's more important than email phishing. Yet, it seems that so few organizations actually include this phishing as part of their ongoing information security assessments and penetration tests. I suppose that's why we keep hearing about all of the Cryptolocker infections and crazy statistics being published by Verizon, Ponemon and others.

Here are some articles that I have written that can help you get your email phishing testing initiatives off the ground or, at least, provide you with some insight into why email phishing is such a big deal:

Defining Your Overarching Goal for Email Phishing Testing 

What to include in an Exchange Server phishing test

Throw users a line to thwart an email phishing attack

Top Gotchas When Performing Email Phishing Tests

Stop attackers from catching you in a phishing hack

Minimize your online footprint to combat phishing

Use an enterprise phishing tool such as LUCY. Do it manually. Whatever the means – just do it. I don't care how advanced your environment is or how mature your security program may be. Your network is one click away from compromise and you need to take the steps necessary to minimize this risk in your business. I promise you these tips that I've written can help you fight this security threat but it has to be taken seriously.

Thursday, May 5, 2016

Twitter hack--NFL draft consequences

I recently received this press release regarding Ole Miss offensive tackle Laremy Tunsil's Twitter account and how it affected his NFL draft:


Will someone please tell me how the consequences of basic security weaknesses surrounding social media, passwords, and malware do not impact us all personally and professionally.

Wednesday, May 4, 2016

Yet another over-hyped security flaw making the headlines

For years now, I've ranted here and elsewhere about the nonsensical niche security "flaws" uncovered by researchers and academic scholars that often have no real bearing on business or society. There are always caveats, always reasons why these super-complicated exploits won't work, yet they make the headlines time and again. The recent Waze app discovery is a great example:

Vulnerability in Google's Waze app could let hackers track you, researchers say

Look past the hype, the justifications for job security and research funding. Focus on the things that matter, folks. Year after year, the studies show the same stuff, yet we keep ignoring it.

Monday, April 25, 2016

Wednesday, April 20, 2016

What you need to know about Checkmarx CxSAST version 8

Application security tool version upgrade usually don't excite me as it's often the same old, same old with a few new checks and niche features. However, the new version of Checkmarx CxSAST (formerly CxSuite, CxDeveloper, etc.) is spot-on. The next generation of the popular static source code analyzer - version 8 - was recently released and it contains some much-needed improvements over its predecessor.

One thing that's glaringly evident in version 8 is the streamlined installation process. Minimal options. No tricky questions. No random services installed to junk up your system (at least that I know of). It just installs and is ready to use in less than 5 minutes. I installed CxSAST on a much less powerful virtual machine than I had version 7 running on and it actually seems to be much faster. I'm not sure if this was by design or if it's just something in my head but it's a nice new feature. Additional features in version 8 (currently 8.0.1) that I think are beneficial include:
  • Major overhaul in the user interface - it was a long-time coming and it's lot better/easier. Here's a sample screenshot:

  • A new vulnerability state option of “Proposed Not Exploitable” for findings that are likely non-issues (you get quite a few of these when performing a source code analysis)
  • I haven't yet tried it (but suspect I will as my testing environment changes often) - apparently the CxSAST engine can now be deployed without enforcing the Hardware ID for the license. Nice.
  • Incremental (partial) scans can now be run via the native IDEs in Eclipse, IntelliJ, and Visual Studio
Checkmarx CxSAST has as much language support than other products I'm familiar with by supporting the traditional languages (C#, Java, VB.Net, PHP) as well as Ruby, Objective C, JavaScript, etc. To me, the mobile app support for Android and iOS is one of its biggest selling points.

I'm seeing an uptick in source code analysis interest. Perhaps it's because people are realizing that web vulnerability scanners and manual analysis simply can't find it all. Regardless, if you're looking to integrate source code analysis into your SDLC or do some last-mile security checks on enterprise web applications, mobile apps, or even legacy client/server applications, Checkmarx CxDeveloper, I mean CxSAST, needs to be on your radar. Here's a screenshot of some sample findings from the tool after scanning a Java application - many of which were not uncovered during traditional web vulnerability testing:

By the way, in the event you're looking to brush up on your application security skills, Checkmarx's Vulnerability Knowledgebase is a good resource for details on various application security vulnerabilities.

Thursday, April 14, 2016

Will the DBIR include Verizon's latest breach?

I'm a little late to pull the trigger on this but felt compelled to ask the question nonetheless:
Will Verizon include it's recent breach in its (presumably) forthcoming Data Breach Investigations Report

...It's related to this press release I received ~3 weeks ago: