You can't secure what you don't acknowledge.SM

Monday, December 12, 2016

Trump's an expert on hacking too, huh?

Yesterday, soon-to-be President Donald Trump showed just how ignorant politicians can be when it comes to computer security, breaches, and hacking. Referring to the Russians interfering with our recent election, the Donald said:
"Once they hack if you don't catch them in the act you're not going to catch them...They have no idea if it's Russia or China or somebody. It could be somebody sitting in a bed some place."
It's interesting. I've been involved with and heard of many additional hacking situations where the culprit was caught well after the fact...And, yet, the general public buys this kind of stuff because they don't know any better.

Who knows, maybe the Russians were involved. We, the people, will never know the details. Still, this seems to be yet another one of his statements without forethought. And to think this guy is going to be in charge of "cybersecurity" for our country. Between this kind of stuff and his continued attempts telling us what we can't do and how we must think, it's going to be an interesting four years!

Monday, December 5, 2016

Using NowSecure for automated mobile app testing

As an independent information security consultant, I'm always looking for good testing tools to rely on for my work. These tools, such as vulnerability scanners, network analyzers/proxies, and related manual analysis tools, are not the be-all-end-all answer for uncovering security weaknesses, but they are a very important aspect of what I do. Be it more generic vulnerability scans, a targeted penetration test, or a broader, more in-depth, security assessment, I simply don't have the time or brainpower to forgo using good tools.

In the interest of working smarter and not harder, there's a neat tool mobile app security testing automation from NowSecure that can automate the process of mobile app security analysis.This cloud or on-premises platform can be used on currently-deployed mobile apps or apps that are in the middle of their development lifecycle. Just load the APK (Android) or IAP (iOS) file for the mobile app to be tested and the checks are run - including real-world, dynamic simulation - and the report is generated.

You're provided with the specific vulnerability, CVSS references, and recommendations for each finding. NowSecure also includes informational findings as well as security checks that "passed". A summary view of sample findings is shown as follows:




Additional information regarding the mobile app's functionality is provided including:
  • Network connections outlining who/what the mobile app talks to (I always find this amusing and sometimes scary!)   
  • Behavioral events of specific app methods that are run along with timestamps
  • URLs listed in the source code and files contained in the archive package
NowSecure provides an interesting and refreshing approach to security testing. I had someone contact me years ago asking if I had a way to automated the process of testing numerous mobile apps. I didn't and wish I would have - or at least wish NowSecure current platform would've been around then! Mobile app security testing is (still) a big and underserved market to say the least. This type of tool can help take some pain out of the mobile app security assessment process.  Some people out there may be good enough to do manual testing of every computer, web application, and mobile app that's thrown their way. However, odds are these folks are not getting a lot done or providing much value to their employers, customers, or even themselves.

There's too much to do with security and not nearly enough time to do it. Work smart. Don't re-invent the wheel. Automate your security testing with tools like NowSecure where you can. Of course, perform your manual analysis where you need to. I never advocate relying solely on automated tools when performing a full security assessment. There's too much to overlook and lose. However, mobile apps are largely an unexplored frontier so you're going to have to rely on good tools to point you in the right direction and (especially) find those niche flaws that would be impossible or unreasonable to uncover otherwise.

Thursday, November 17, 2016

Careers in information security, dealing with ransomware, and more

With the field information security as popular as ever, I thought this would be a good time to share some pieces I've written on breaking into the field along with a few more on information security leadership. Oh, and I've thrown in a couple of pieces and a webcast on ransomware since that's a big deal these days. Enjoy!

10 Tips for Breaking into the Infosec Field 

What type of organization needs a CISSP on staff?

The important distinction between security facts and security problems

Why System Administrators are so Crucial to Security

The side-effects of miscommunication between IT and security pros
 

Security mistakes executives make

CEO Spoofing - Don't get fooled
 

Five ways to prevent a ransomware infection through network security 

Ransomware, Social Engineering and Human Error: What could go wrong?


As always, be sure to check out all of my other information security articles, webcast, etc. on my website


Wednesday, September 21, 2016

Join me along with ISACA and TechTarget today to learn about how to advance your infosec career!


 Kevin Beaver professional speaker keynote
I'm happy to announce that I'll be joining ISACA and TechTarget for their annual online security seminar - a day-long learning event for IT and information security professionals.  My session this afternoon, which starts at 3:30pm ET, will be I Can Do versus I Have Done...Certification, Experience, and the Information Security Career Path.


You can register by clicking the image or via this link:
http://www.bitpipe.com/data/document.do?res_id=1469026420_560  

I hope to "see" you there!

Monday, September 19, 2016

People Behaving Badly and information security's tie-in

Last week, I had the opportunity to travel to the Bay Area in California to record an information security video (thanks Intel and TechTarget!). Of course, I couldn't travel across the country and not see the sights of San Francisco. A most excellent highlight of the trip was for my son and I to meet television and social media celebrity, Stanley Roberts. My son is a huge fan of Stanley's, has learned a ton from him (me too!), and was over the moon-excited to be able to meet him in person.



I wanted to share with you Stanley's videos (a really good "best of" is below) and how his work relates to what we do for a living. Stanley catching people in the act of doing bad things intentionally, or perhaps through ignorance, is the very thing that drives the field of information security today. It's the essence of my previous blog post from today and my whole shtick about if we just addressed the basics of security (followed the core best practices and rules) we wouldn't  experience the consequences.

Stanley, we need to figure out how to do something on "people behaving badly with computers"!

Check out Stanley's YouTube channel or, if you're in the Bay Area, KRON 4 News...I think you'll enjoy it. If anything, beyond the laughs, you'll see that crazy human behavior is across the board in all aspects of life, not just in IT and security.


What, exactly, is reasonable security? The state of California knows!

With all that's happening in the world of information security, it seems that there's never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules - and guidance - around every corner. Oddly enough the breaches keep occurring. As if what we've been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who stand to benefit from such power, believe we need more regulations. Some are even attempting to rebrand information security as "cybersecurity" which only serves to create another layer of complexity and hurt our cause long-term.

Presumably, more regulations will clarify what "reasonable security" means. I disagree. The core information security essentials that we need to follow in order to be secure have been around for decades. Yet people think we need more guidance, more rules, more control. It's the mindset that many have toward fixing government schools: don't address the real problems, just throw more money at things and the challenges should go away soon. If things were only that simple!

If we're going to address information security reasonably, we don't need more regulations...what we need is discipline. The discipline to execute the security essentials over and over again, no matter how boring, how repetitive, and how politically inconvenient they are. I love what Kamala Harris, Attorney General for the state of California wrote in her 2016 California Data Breach Report:

RECOMMENDATION 1:
The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.


Folks, it's as simple as that...Ignoring the problem won't make it go away. Unless and until we address the core security practices - practices that have been proven to work time and again - we'll continue to struggle. So, what's it going to be?

Wednesday, August 24, 2016

A WordPress security resource for you: WP Security Audit Log

WordPress has had its fair share of security flaws over the years. Arguably more than any other mainstream platform. A quick search of 'wordpress' at the National Vulnerability Database returns over 1,100 published vulnerabilities as old as 2004 and several as recent as this month. Despite all of the security issues, WordPress is a highly-popular platform for businesses and individuals alike to create their online presence.

There are a lot of plug-ins and related resources to help with WordPress resources but there's one that I'm familiar with that you might want to check out. They're available through WP White Security - a company run by my colleague and web security expert Robert Abela. He not only offers WordPress security consulting services around hardening, malware removal, and the like but more importantly (from a proactive security point-of-view at least) plug-ins that you can use to lock down your web presence and keep it in check called WP Security Audit Log.

I've been thinking of using WordPress to host a website but I've held off because of the security flaws that come with it if it's not proactively maintained and monitored. Tools such as WP Security Audit Log are the only way to go outside of a managed security service to ensure your website is not exploited for ill-gotten gains. If you host your own WordPress website and you're not a technical person, then something like this is an absolute no-brainer. I've been telling Robert for a couple of years now that I was going to write a blog post to share his offerings with my audience. I'm guessing I could've helped prevent untold exploits and breaches had I done it sooner! I hope you find it beneficial nonetheless.

One final thing - another good practice that's often required by law or contract - if anything, common sense - is to run periodic web vulnerability scans to check for common vulnerabilities that can create problems for your website and, ultimately, your business. Better to be safe than sorry...

Tuesday, June 28, 2016

Email phishing expertise: Lack of skills or just a lackadaisical approach to security?

I can't think of any current security test that's more important than email phishing. Yet, it seems that so few organizations actually include this phishing as part of their ongoing information security assessments and penetration tests. I suppose that's why we keep hearing about all of the Cryptolocker infections and crazy statistics being published by Verizon, Ponemon and others.

Here are some articles that I have written that can help you get your email phishing testing initiatives off the ground or, at least, provide you with some insight into why email phishing is such a big deal:

Defining Your Overarching Goal for Email Phishing Testing 

What to include in an Exchange Server phishing test


Throw users a line to thwart an email phishing attack

Top Gotchas When Performing Email Phishing Tests


Stop attackers from catching you in a phishing hack

Minimize your online footprint to combat phishing
 

Use an enterprise phishing tool such as LUCY. Do it manually. Whatever the means – just do it. I don't care how advanced your environment is or how mature your security program may be. Your network is one click away from compromise and you need to take the steps necessary to minimize this risk in your business. I promise you these tips that I've written can help you fight this security threat but it has to be taken seriously.

Thursday, May 5, 2016

Twitter hack--NFL draft consequences

I recently received this press release regarding Ole Miss offensive tackle Laremy Tunsil's Twitter account and how it affected his NFL draft:


Amazing.

Will someone please tell me how the consequences of basic security weaknesses surrounding social media, passwords, and malware do not impact us all personally and professionally.

Wednesday, May 4, 2016

Yet another over-hyped security flaw making the headlines

For years now, I've ranted here and elsewhere about the nonsensical niche security "flaws" uncovered by researchers and academic scholars that often have no real bearing on business or society. There are always caveats, always reasons why these super-complicated exploits won't work, yet they make the headlines time and again. The recent Waze app discovery is a great example:

Vulnerability in Google's Waze app could let hackers track you, researchers say


Look past the hype, the justifications for job security and research funding. Focus on the things that matter, folks. Year after year, the studies show the same stuff, yet we keep ignoring it.

Monday, April 25, 2016

Wednesday, April 20, 2016

What you need to know about Checkmarx CxSAST version 8


Application security tool version upgrade usually don't excite me as it's often the same old, same old with a few new checks and niche features. However, the new version of Checkmarx CxSAST (formerly CxSuite, CxDeveloper, etc.) is spot-on. The next generation of the popular static source code analyzer - version 8 - was recently released and it contains some much-needed improvements over its predecessor.

One thing that's glaringly evident in version 8 is the streamlined installation process. Minimal options. No tricky questions. No random services installed to junk up your system (at least that I know of). It just installs and is ready to use in less than 5 minutes. I installed CxSAST on a much less powerful virtual machine than I had version 7 running on and it actually seems to be much faster. I'm not sure if this was by design or if it's just something in my head but it's a nice new feature. Additional features in version 8 (currently 8.0.1) that I think are beneficial include:
  • Major overhaul in the user interface - it was a long-time coming and it's lot better/easier. Here's a sample screenshot:


  • A new vulnerability state option of “Proposed Not Exploitable” for findings that are likely non-issues (you get quite a few of these when performing a source code analysis)
  • I haven't yet tried it (but suspect I will as my testing environment changes often) - apparently the CxSAST engine can now be deployed without enforcing the Hardware ID for the license. Nice.
  • Incremental (partial) scans can now be run via the native IDEs in Eclipse, IntelliJ, and Visual Studio
Checkmarx CxSAST has as much language support than other products I'm familiar with by supporting the traditional languages (C#, Java, VB.Net, PHP) as well as Ruby, Objective C, JavaScript, etc. To me, the mobile app support for Android and iOS is one of its biggest selling points.

I'm seeing an uptick in source code analysis interest. Perhaps it's because people are realizing that web vulnerability scanners and manual analysis simply can't find it all. Regardless, if you're looking to integrate source code analysis into your SDLC or do some last-mile security checks on enterprise web applications, mobile apps, or even legacy client/server applications, Checkmarx CxDeveloper, I mean CxSAST, needs to be on your radar. Here's a screenshot of some sample findings from the tool after scanning a Java application - many of which were not uncovered during traditional web vulnerability testing:

By the way, in the event you're looking to brush up on your application security skills, Checkmarx's Vulnerability Knowledgebase is a good resource for details on various application security vulnerabilities.

Thursday, April 14, 2016

Will the DBIR include Verizon's latest breach?

I'm a little late to pull the trigger on this but felt compelled to ask the question nonetheless:
Will Verizon include it's recent breach in its (presumably) forthcoming Data Breach Investigations Report

...It's related to this press release I received ~3 weeks ago:


Wednesday, April 13, 2016

Why data classification is a joke

I just saw this post on Slashdot about 0bama saying that classified means whatever it needs to mean. It reminds me of how data classification is treated as an information risk management function in the enterprise: mostly non-existent:



Data classification programs that do exist are typically a joke whereby IT and security handles everything with no involvement from the business or legal or legal handles everything with IT and security being out off the loop altogether. I wrote an article related to this for Ziff Davis a couple of years ago:
The funny thing about "confidential" information

...I'm not even sure why we bother going through the motions...it's like security policies that are not enforced - who are we kidding!?

Wednesday, March 2, 2016

A patch for stupid, PCI DSS penetration testing tips, and focusing on what matters in security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7: - See more at: http://securityonwheels.blogspot.com/#sthash.QOKy5qXt.dpuThe follare some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:
The following are some new articles I've written for TechTarget and Ziff Davis. Enjoy!

Maybe there is a patch for stupid
Six areas of importance in the PCI Penetration Testing Guidance
Niche security flaws should NOT be your focus
check out the other information security content I've written over the years on my website at www.principlelogic.com/resources.

Also, check out the other information security content I've written over the years on my website at www.principlelogic.com/resources.

Monday, February 22, 2016

New independent content on information security

Here are some articles and guest blog posts I've written for my friends at TechTarget, Ziff Davis, AlgoSec, and Rapid7:

Key Network Security Questions You Need To Ask Your Cloud Vendors - Now!

Everything happens for a reason in security

How one bad decision brought down an enterprise e-commerce site in minutes

With security, periodic and consistent is key

How emerging threat intelligence tools affect network security

The science behind bad passwords


Enjoy!

Also, be sure to check out the other information security content I've written over the years on my website at www.principlelogic.com/resources.
njoy!

You can also check out the other information security content I've developed over the years on my website at www.principlelogic.com/resources - See more at: http://securityonwheels.blogspot.com/#sthash.UuUpGvau.dpuf
njoy!

You can also check out the other information security content I've developed over the years on my website at www.principlelogic.com/resources - See more at: http://securityonwheels.blogspot.com/#sthash.UuUpGvau.dpuf
njoy!

You can also check out the other information security content I've developed over the years on my website at www.principlelogic.com/resources - See more at: http://securityonwheels.blogspot.com/#sthash.UuUpGvau.dpuf

Monday, January 25, 2016

LUCY - a very powerful email phishing tool

If you're an IT or information security professional you need to know about a great - and relatively new - tool that you can use as part of your security assessment and/or user awareness and training programs...it's called LUCY. I came across a small online blurb about LUCY a few months ago and thought I would check it out. Having dealt with both open source and commercial email phishing tools that have either gone kaput or the vendors have no interest in serving an independent consultant like myself, it looked like LUCY might be just what I needed. It is.  

Available as a virtual machine download or an application running in the cloud, LUCY supports traditional email phishing campaigns but it goes several steps further by supporting SMiShing (SMS phishing), the simulation of malware attacks, Word macros, and it has a bunch of other features. LUCY's reporting capabilities are nice as well. The following is a sample of one page of the LUCY Web interface and you can see more for yourself here.




Before I discovered LUCY, I was seriously considering hiring a developer to write my own email phishing tool. I'm glad I didn't because I would have missed a whole lot of features that I never would've thought about. I'm also confident that I would've ended up getting in over my head with such a project. That's the great thing about working in this industry – I get to rely on the brainpower, findings, and products of all of the researchers and developers who are way smarter than me.


LUCY's feature set is nice but, to me, the best part is the support that I have received from its Swiss-based creator, Oliver Münchow. Oliver was very responsive and extremely patient with me as I got my environment up and running. In fact, I bugged him with so many DNS/SMTP configuration and user workflow questions (when, in many cases, I should've read the fine manual) he told me that he obviously needs to make some tweaks to the documentation and the functionality of the program. :-) He already has. Pretty cool.

Studies from Verizon, Trustwave, and others all show that social engineering via email phishing is one of the most popular attacks. It's just too simple and too effective. Many (most?) businesses today are making it too easy for criminal hackers to carry out their malicious acts for ill-gotten gains. I've been doing this type of work more and more as part of my overall security assessment projects and the results are pretty scary. If you're not doing email phishing testing, you can't honestly say that you're looking at everything - testing for all possible vulnerabilities - in your environment.

Whether you work for someone else or for yourself, you should check out LUCY if you're in need of simple to use, yet powerful, email phishing and security awareness/training campaign capabilities that you can get up and running almost immediately. Minimal technical expertise is required. Maximum value is pretty much guaranteed. 

You can check out more about social engineering and email phishing (tips, tools, and techniques) in the brand-new 5th edition of my book, Hacking For Dummies.

Wednesday, January 20, 2016

Worst passwords (on your network right now)

The fifth-annual Worst Passwords List put out by SplashData is here and the findings aren't terribly surprising. Here are the top five:

#1: 123456
#2: password
#3: 12345
#4: 12345678
#5: qwerty
 
Good stuff! What's that quote about insanity? 

One of those security basics that we'll likely continue to ignore until the end of time. That's alright, as some of the best sideline analysts will proclaim: we need not focus on such trivial things. Well, they have a point. After all, there are really cool technologies people can spend tons of money on instead. It's that kind of investment that makes it look like things are happening in and around IT!

Thursday, January 14, 2016

Hacking For Dummies, 5th edition - Brand new and more of what it oughta be

It's official - the 5th edition of my book Hacking For Dummies is out!

Outside of the first edition that was written 13 years ago, this new edition has, by far, the most updates and improvements yet. All based on the mistakes I make and the things I learn in my hands-on work performing independent security vulnerability assessments and penetration tests, I feel like Hacking For Dummies has come of age.

In this new edition, I have added in new security checks and tools (i.e. Kali Linux) for many of the chapters. I've sprinkled in some more coverage on the cloud where necessary as well as updates on security testing methodologies. I also provide links to more (and more current) tools and resources in the appendix. I cover Windows 10 and even some of the latest security controls in Android Lollipop and M as well as iOS 9. I also have a new section on the Internet of Things.

Perhaps most importantly, I've eliminated a lot of the preachiness and references to "ethical" hacking and "hackers" and, instead, have put things more in terms of IT security professionals and security testing programs...It's security vulnerability assessments and penetration testing as it should be.

From the get-go, my goal with this book was not to cover every single niche hack that comes out - I'm not that smart and certainly don't have enough time (or pages) to do so. Instead, my goal is to hit the important areas that are getting so many enterprises into trouble (i.e. the low-hanging
fruit) as well as to outline the security assessment process from start to finish, i.e. planning things out, understanding the mindset and methodologies all the way through the testing and then follow-up,
including keeping management on board. I'm not aware of any other book that does this and believe that's where the real value in all of this is.

Thanks a ton to Amy and Katie at Wiley for helping making this book happen, long-time friend, Peter Davis, for his most excellent technical edits, and for well-respected IT/security veteran, Richard Stiennon, for writing the new foreword. I couldn't have done it without your efforts and insight!

A LOT of sweat equity among many people has gone into Hacking For Dummies, 5th edition. I hope you'll check it out! I really think you'll like it.