You can't secure what you don't acknowledge.SM

Tuesday, December 19, 2017

Solared Cyber Security's APPscreener - a static application security testing tool worth checking out

A large part of the vulnerability and penetration testing work I do focuses on application security - both web and mobile. A growing portion of my testing in this area is source code analysis and looking at software flaws where they begin. I'm always looking for good tools to use and I recently came across one that you might want to check out called APPscreener. It's a cloud-based (or on-premise) static application security testing (SAST) tool that can look at both raw source code and, in the event you don't have access to the source, binaries for both traditional web applications and mobile apps. 

APPscreener has the best user interface I've seen in this type of tool. Once you get the on-premise version installed - or you simply get logged into the cloud version - it's literally point and click. I like this approach because not everyone with a need to perform a static analysis is super technical. These people, therefore, won't get bogged down with installation and configuration minutiae that's common in other SAST tools I've used (especially the open source ones). APPscreener's interface can be see here:

Reporting includes options for OWASP Top 10 (2017 support is said to be coming soon), PCI DSS, and more as shown here:

APPscreener's broad list of supported languages/platforms for static analysis is as follows:
  • ABAP 
  • C, C++, and C#
  • HTML5
  • Java and Java for Android
  • JavaScript
  • Objective C
  • PHP
  • PL/SQL
  • Python
  • Ruby
  • Scala
  • Solidity
  • T/SQL
  • VB 6.0
APPscreener can perform binary analysis on various filetypes as well:
  • Android
  • dll
  • exe
  • iOS
  • jar
  • war
One really neat thing about APPscreener is that you can point it directly apps in Google Play and Apple App Store as shown as follows:

This is a nice feature for enterprises that have standardized on a specific set of business apps and need to formally roll them into their security program by vetting them for security flaws. An especially important feature when you don't have access to the source code.

I'm always looking to improve my application security testing approaches and tools such as APPscreener make a big difference in not only the time and effort involved in this work but also in the quality of the findings I'm attempting to uncover. Check it out if you're in the market for a SAST tool. Based on what I'm seeing, you'll quite likely find many application security flaws you didn't know you had...and those are the best kind since you can't fix what you don't know about!

Saturday, October 14, 2017

When PR spam is actually amusing

I get spammed by PR firms all the time - quite likely a dozen or more emails from them in my business inbox every day. I think I get on their radar because certain articles I write happen to be related to what these spammers are trying to promote. Well, I recently got this spam message via email from a PR firm regarding an upcoming security conference. Looks interesting. But to heck with the show...and don't worry about what it says (I know, it's hard to see)...What's funny is that someone apparently did some edits to the original press release and the guy who sent it forgot to accept those changes (and proofread)...can't make this stuff up. ;-)

Thursday, October 12, 2017

Hacker Halted - a security show worth attending

I've been a big advocate of attending security shows in order to learn, network, and see/hear about the latest technologies. There are a ton of these shows each year - some are a good fit, others not so much. Well, there's one show that I just attended in Atlanta this week that's worth my mentioning and recommendation. It's called Hacker Halted. Put on by the EC-Council (Certified Ethical Hacker) folks, it's well-attended but not too big. I spoke with and exchanged business cards with several people from around the country. Word had it that around 2,000 people were in attendance. 

I saw several good speakers including one of the best in the business, Winn Schwartau, as well as the EC-Council's founder and president, Jay Bavisi. Jay shared some great points on the state of security, including how we're facing a skills shortage, not a labor shortage. I totally agree. There are many people working in positions of security authority and decision-making that don't really know a whole lot about security. It's learn as they go and that's bad for business, good for the criminals. 

Jay also covered the EC-Council's new LPT certification and about how penetration testing is becoming commoditized because of the assumption of vulnerability scans being "good enough" and overall ignorance of the process. Agreed! Jay also said that penetration testing often lacks professionalism, especially when it comes to security assessment deliverables. The emphasis is instead placed on shiny objects/cool tools and the prima donna attitudes emanating from many of the people who do this work. Love it! I see this all the time and it's hurting us and our field.

I believe Hacker Halted is usually in Atlanta. Check out their website and maybe I'll see you there next year.

Wednesday, September 27, 2017

SEC, Equifax, what's next? Focus on - and fix - the stuff that matters in security.

I recently consulted with a client on the SEC and Equifax breaches and had some thoughts that I left with that I wanted to share here:
  1. Your security program is only as good as your day-to-day processes and people. No amount of policies, plans, and technologies is going to prevent you from getting hit.
  2. Reactive security is apparently the new norm, at least according to SEC chairman Jay Clayton. I don't disagree with this, in spirit. No one is 100% immune from hacking and breaches. However, you still have to make efforts find and fix the silly, stupid stuff that's creating problems such as these. Just ask Equifax about web security penetration testing and patching and how seriously they should be treated.
  3. Unless and until the information security basics are mastered, you're a sitting duck.
  4. More government, more regulation, more "cyber" whatever won't fix these elementary security gaffes. It'll certainly make it look like something's getting done and (sadly) that's often good enough...until the next breach occurs.
  5. Money spent on computer systems and applications does not translate to security. In fact, it can make it worse due to the false sense of security and because of all the system complexities involved. 
Bottom line, pay attention to what's happening. You can't hit a target you can't see - or aren't even thinking about. Let these other peoples' experiences and misfortunes be teachable moments for improving security in your business. Don't repeat history because, as Stein's Law says, if something cannot go on forever, it will stop.

Here's some additional reading on this subject:

Focus on the right things to get security results

Do what you can to solve your known security challenges

Thursday, August 31, 2017

HIPAA and data encryption - what you need to know

When I co-wrote the first edition of the book The Practical Guide to HIPAA Privacy and Security Compliance, both HIPAA and data encryption were a big deal. Fast forward nearly 15 years and they're still a big deal, yet many people are still struggling with both. 

If you're looking for some insight/guidance on HIPAA compliance, data encryption, or security intelligence in today's business environment, here are a few new pieces that I wrote for the nice folks at Thales e-Security that you may want to check out:

Going beyond addressable with HIPAA and doing what’s right with data encryption 

How security intelligence can support HIPAA compliance

Why PHI access controls matter

The HIPAA compliance payoffs of protecting PHI with encryption


Wednesday, August 16, 2017

Hacking For Dummies featured in new Lifetime movie Running Away

I had the neat opportunity to recently see my book, Hacking For Dummies,  featured in this summer's Lifetime movie called Running Away. I've known that it was a possibility for some time but it was cool to see it on the screen! Here's the scene it's featured in:

You can see more about - and purchase - Hacking For Dummies (currently in its 5th edition) on Amazon by clicking the graphic below:

Thanks for your support!

Thursday, August 10, 2017

Rapid7's Insight platform provides focused analytics for your security program

Fairly recently, Rapid7 took their vulnerability management platform up to the next level with their analytics platform called Rapid7 Insight. It's a beneficial for an independent consultant like myself and even more useful for enterprises with IT environments of growing complexity. Rapid7 Insight is marketed as a way to bring together the Nexpose vulnerability research, Metasploit exploits, global security intelligence and exposure analytics into a single system that can help businesses solve more - and better - security problems. 

A cloud tool that integrates with your Nexpose instance, Rapid7 Insight lets you see what's being uncovered in your environment, monitor specific vulnerabilities, and bring it full circle with ticketing system integration to support remediation workflows. you even have a choice on where to store your data in the cloud in order to meet specific compliance/legal requirements. Here are some examples of Insight's "Liveboards" that provide info on specific areas of vulnerability management. These are external-facing security vulnerability data including details on exploitable vulnerabilities.

Being able to run a tool such as this can add tremendous value to security testing and vulnerability remediation programs. This level of detail can show you exactly where you need to focus your efforts in order to expedite remediations and ensure returns on your security efforts. Hint: getting your patching under control, once and for all will likely be front and center. This information is good for sharing with executive management and can also help you prioritize your efforts that involve security policy development, user awareness and training, incident response and other core areas of security that need attention.

Rapid7 Insight, nor any other tool, is going to fix all of your security will at least set you on the right path. The discipline required to see things through is totally up to you.

Monday, August 7, 2017

How to gain control & become an IoT security expert

You've no doubt heard the vendor spiels and seen their solutions for gaining control of your Internet of Things environment. But do you truly have IoT under control? Like other things in IT, it can be pretty overwhelming, especially when you're struggling to keep your arms around your traditional network environment with cloud and mobile and all the complexities they bring. 

Well, IoT security doesn't have to be that difficult. It's complicated in terms of a well-run security program but, in many ways, there's really nothing new...I can assure you that if you step back to look at the bigger picture of what's going on with IoT security, from vendor marketing overload to understanding your network to fixing the basics, you can (and will) gain control of IoT if you take a measured approach. 

Here are several pieces I've created on IoT security that can help you in your endeavors:

Integrating the IoT into your application security program

Getting Ahead of the IoT Security Curve (an ISACA/TechTarget webinar)

Don't overlook this key element in securing the Internet of Things

Is Your Security Program Ready for the Internet of Things?

IoT at RSA brings a new focus on old problems

Securing the Internet of Things

Top cybersecurity trends for the first half of 2017

I hope this helps. Don't hesitate to reach out to me if you're ever in need of IoT security testing or strategy consulting. Cheers!

Wednesday, June 21, 2017

Using Centrifuge for IoT security testing

I love hacking things, especially new things like what's showing up on networks around the globe in the form of IoT. If IoT security is anywhere on your radar, you're likely incorporating these devices into your security testing program. Well, there's a new IoT security assessment tool in town that you need to know about called Centrifuge brought to you by Tactical Network Solutions - makers of the former (and awesome) Reaver Pro tool

Centrifuge is a cloud-based platform that can reverse engineer binary firmware files and analyze them for security flaws. It supports various IoT systems, including firmware from common routers and network devices from Belkin, D-Link, and Linksys, and finds some interesting stuff. For example, here's the platform showing the file structure from an older Netgear R7000 wireless router's firmware:

And here's the output of Centrifuge's crypto analysis...note the public and private keys uncovered:


The most telling is the number of vulnerabilities uncovered (an amazingly scary number of command injections and buffer overflows in just one product's firmware) as shown here:

IoT poses formidable security threats to both end consumers and businesses alike and those of us in IT and security need to be paying attention. We simply cannot rely on IoT vendors to keep things in check. Instead, we have to find and resolve security flaws ourselves and establish compensating controls where possible. Clearly, there's a lot going on in terms of IoT least we have tools like Centrifuge coming to market to help us further the cause.

Monday, May 15, 2017

The real reasons behind the WannaCry ransomware

As we continue down the path of yet another major security breach - this time with the ransomware WannaCry - let us remember that it's not just about the criminal hackers, out-of-control government agencies such as the NSA, or vendors such as Microsoft putting out vulnerable software. Every single one of us working in IT, security, and business today are complicit in these challenges.
  • Outdated/unsupported operating systems are running. We are responsible.
  • Patches are not getting installed in due time. We are responsible.
  • People are clicking links and making other bad decisions. We are responsible.
  • Stuff is happening on the network, sight unseen. We are responsible.
  • Policies are ignored. We are responsible.
  • Unfunded mandates still exist. We are responsible.
  • Systems – even entire network environments – remain untested. After all, you can't secure what you don't acknowledge. We are responsible.
  • Underscoped and unauthenticated vulnerability scanning and penetration testing paints an inaccurate picture of the average security posture. We are responsible.
  • Incident response procedures remain undocumented. We are responsible.
  • Credibility and relationships are essential for mastering information security, yet we continue to focus on everything but that. We are responsible.
  • Information security continues to be seen as IT's problem. We are responsible.
I don't know how many more widespread breaches we'll have to endure but I do know that everyone has a hand in these challenges before us. We can continue down the path of promising that we are compliant and secure when we are, in reality, reacting aimlessly to everything that happens. I know that managing enterprise IT environments is not easy and I certainly don't envy anyone responsible for securing them. Still, there is so much that most organizations are leaving on the table. But, why?

Is it people protecting their territories under the guise of long-term job security? Perhaps it's lack of budget or management buy-in? Maybe it's an out-of-control user base continuing to not think before they act...?

Whatever it is, it needs to change. The criminal hackers and those supporting them are not going away. In fact, they look at issues such as the WannaCry ransomware outbreak as yet another reason they need to keep doing what they're doing. As the saying goes: change before you have to.

Monday, May 8, 2017

My CSO interview/story: What it takes to be an independent information security consultant

I'm very honored to have been interviewed recently for CSO Magazine about my background and what it takes to stand out - and survive - as an independent security consultant. Check it out here:

Thanks for the nice write-up, Bob Violino!

Monday, April 3, 2017

People will violate your policies all day long...if you let them.

I recently saw this out in front of a local restaurant where management was trying to resolve parking, sidewalk access, and traffic issues. Their "control" obviously doesn't work:

Be it parking cars or using computers, instant gratification is the name of the game. People want what they want. They want it right now. And, they will take the path of least resistance - and violate your policies in the process to get it - especially when enforcement is weak like in the picture above.  

Good lesson for IT and information security leaders. Lots of room for improvement in this area.

Friday, March 31, 2017

Monday, March 13, 2017

Web and mobile application security vulnerability and penetration testing resources

Application security is no doubt one of the most important aspects of a security program. Here are some new pieces I've written that can help keep your web and mobile app vulnerabilities in check and your application security program on the right special attention to the last one regarding security assessments and reality:

Keeping your Web applications in check with HIPAA compliance
Mobile app security risks could cost you millions
Common oversights in mobile app security
How to stay ahead of the curve in application security
Protecting Web applications with network controls - Is it effective?
Secure coding job interview questions
Ignore these common mobile app security risks at your own peril
Why Security Assessments are Often not a True Reflection of Reality

And, in case you missed the RSA conference this year, here are some pieces that I wrote to recap the show:
Top stories coming out of the 2017 RSA Conference worth paying attention to
What you need to know about the 2017 RSA Conference
RSA Conference tips for CISOs – From 10 years ago to today
IoT at RSA: A New Focus on Old Problems

Be sure to check out my other information security resources on my website and follow me on Twitter @kevinbeaver.


Friday, March 3, 2017

Email phishing services: Just what you need to know to start mastering the task

Got phished? Of course you have...whether you know it or not! 

As with penetration and vulnerability testing and any other form of security assessment, you need to be performing email phishing tests on your users – all of them, including executive management – on a periodic and consistent basis. I'm doing more and more of this work and the results that I'm finding are the point that all other security testing could be stopped and existing security technologies could be eliminated unless and until this situation is under control. I'm finding these gaping holes in IT and security programs not because I'm smart...I just use good tools and know what to do/say beyond traditional email phishing testing - which, by the way, stinks out loud in most organizations and serves as a mere checkbox item.

I'm not going to give away all of my secrets - that's what my independent email phishing consulting services are for. But I will share with you some insight and tips that you're probably not going to find elsewhere or that might require some painstaking "experience" to learn otherwise. Here you go:

Be sure to check out to all of my other information security resources on my website when you get a chance. Cheers!

Monday, February 6, 2017

Getting to know your network with Managed Switch Port Mapping Tool

In my years performing independent network security assessments, one thing that has really stood out to me is the lack of network insight. Regardless of the size of the organization, the industry in which they operate, and the level of security maturity, in most cases, I see IT and security shops with very little:
  • documentation
  • inventory
  • configuration standards
  • logging and alerting outside of basic resource monitoring
What this means – and what it can easily lead to – is incidents and subsequent breaches that may or may not be detected. These gaps combined with today's network complexities are virtually guaranteed to create unnecessary business risks.

In the spirit of having good tools to make your job easier, Northwest Performance Software has a program called Managed Switch Port Mapping Tool that can help put you on the right track in terms of getting to know your network environment, improving your visibility, and managing your ongoing changes. It's a tool that I have used off and on for years in conjunction with their popular toolset called NetScanTools Pro. The Managed Switch Port Mapping Tool is pretty straightforward – it simply uses SNMP to map out network switches which can provide a ton of information about entire network segments - information that often gets taken for granted. Here's a sample screenshot:

We work in a world where vendors are pushing SIEM, CASB, and Next-Gen Whatevers while, at the same time, we don't even have the network and security basics down pat. We're too busy spending time and money on the latest and greatest technologies when we need to just go back and do more to get a grasp on the core essentials of the network. Once that has been achieved, then – and only then – does it make sense to buy into what we're being sold. Just be careful, because such proposals may not always be in your best interest!

Kirk Thomas at Northwest Performance Software has been creating these network tools for a couple of decades now. I first learned about NetScanTools back in the mid-1990s at Novell's BrainShare conference (remember the awesome OS called NetWare!?). Anyway, if you're looking to get a better grasp on your network while, at the same time, improving your overall security posture, check out these tools. They'll only serve to make you look better. If you're like me, you can use a dose of that every now and then!

Thursday, January 19, 2017

Children's Hospital Los Angeles breach reminds us that HIPAA means nothing if you ignore its requirements

Back in 2007 I wrote a blog post on what's it going to take to encrypt laptop hard drives. After seeing this recent story about Children's Hospital Los Angeles, I can't help but shake my head.
The 0 comments on this article says a lot as society is becoming immune to these breaches...I think I've heard it called breach fatigue - it's not unlike presidential politics as of late!
In 2007, these decisions were bad enough...Like weak passwords, unencrypted laptops - especially if they're known to have PHI or PII - are simply inexcusable knowing what we now know in 2017. Doctors are smarter than that.

If anything - like all other lost/stolen laptops with sensitive information that have been regulated by things such as HIPAA for 12+ years - it shows that government and industry laws can't force people to make good decisions. Furthermore, "smart" people in positions of power running businesses don't know as much about security as they think they do and aren't as immune to security gaffes as they think they are.

Sunday, January 8, 2017

Hacking is not just an action, it's an excuse

Given all the ridiculous analyses and "findings" on Russian hacking as of late such as federal government bureaucrats who said there's no evidence to prosecute Clinton or who claim that the NSA does not collect data on America citizens yet they're certain that the Russians meddled in the U.S. election - many assertions of which are coming from talking heads with zero experience working in this field - I thought this blog post I wrote back in June of 2011 was worthy of a re-post:

Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...
Here are some reading assignments for you written by two of my peers - leaders in our field and fellas who have their heads on straight about this Russian hacking storyline:

"From Putin with Love" - a novel by the New York Times by Rob Graham

Of course it was the Russians by Peter Stephenson

I may be wrong...I often am. There's always three sides to every story (yours, theirs, and the truth). Knowing what I know about information security along with politicians/bureaucrats and their motivations, I'm a bit skeptical.

By the way, don't let our rulers in the U.S. fool you as this country has been meddling in foreign elections for years - perhaps a bit more legitimately: