Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Another diary compliments of Handler in training Russ McRee:

Penetration testers and red teamers rejoice! We have a control for you: Critical Control 17: Penetration Tests and Red Team Exercises (hereafter referred to as PT RT for brevity).
A few thoughts in support of your efforts:

1) Before taking on this activity, formalize it with management (in writing) to include vision, mission statement, and statements of work (SOW) in order to set clear expectations (and keep you from being fired or jailed. Prepare to write reports, and present findings. PT and RT activity is only as good as the dissemination of results and the subsequent remediation. Sure the fun part is going after systems and resources with permission, but the documented follow-up is just as important.

2) A formalized process inclusive of best practices and documentation also supports PT RT on behalf of compliance requirements (PCI, etc.). Trust me when I say, its a lot easier to win the argument for a PT RT program when you can tell your leadership that it supports meeting compliance requirements. Yes, compliance is often a min bar but if it helps get your program underway, youre winning right?

3) A great resource and good starting point: Open Source Security Testing Methodology Manual 3.0

4) If youre going to red team, then blue team while youre at it. A well-devised, concerted offensive engagement against your enterprise is also an ideal opportunity for your defenders to validate their monitoring and hardening practices.

5) While its nice to have resident expertise, its hard to imagine that every organization has the resources to dedicate personnel exclusively to PT how better to tune red team/blue team chops.

6) The social engineering (SE) aspect of PT RT activity inevitably includes an organizational political component you should be sensitive to. Ill cut to the chase, people fall for SE tactics all the time and there is always shame associated with it. Making enemies will not help your cause. Devise SE tactics (educational intranet sites, metrics generators) that dont necessarily automatically relegate people to the wall of shame/sheep. If you must actually compromise someone, dot your Is and cross your Ts. Non-invasive recon for likely or ideal targets for whom management signs off before total pwnzorship is in your best interest. Again, your get out of jail free card is very important here. Malfeasance or anomalous behavior from systems belonging to your victims can then potentially be attributed to you.

7) Virtual environments, while not ideal, make for an inexpensive test bed for PR BT5 or Samurai WTF anyone?) and victim VMs (unpatched Windows, vulnerable LAMP, etc)

Have fun, but be careful.

What successes have you had structuring penetration testing and red teaming as a repeatable, sustained activity in your organizations? Let us know via the comment form.


-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
FreeType Font Document Multiple Memory Corruption Vulnerabilities
 
IBM has elected Virginia Rometty as president and chief executive officer effective Jan. 1, replacing Sam Palmisano, who will retain the chairman's role.
 
Apache 'mod_authnz_external' Module SQL Injection Vulnerability
 
Government Computer News magazine has honored the Digital Library of Mathematical Functions (DLMF), which the National Institute of Standards and Technology (NIST) released last year, with one of its 10 annual awards for information ...
 
If quantum computers are ever to be realized, they likely will be made of different types of parts that will need to share information with one another, just like the memory and logic circuits in todays computers do. However, prospects ...
 
The National Institute of Standards and Technology (NIST) has issued for public review and comment two draft guides to securing wireless communication networks. NIST is requesting comments on the two publicationsamp-one on Bluetooth ...
 
After years in the works and 15 drafts, the National Institute of Standards and Technologys (NIST) working definition of cloud computing, the 16th and final definition has been published as The NIST Definition of Cloud Computing (NIST ...
 
Quantum's new NDX-8 NAS appliance delivers 8TB of capacity with built-in backup software and deduplication technology, offering to reduce storage requirements by up to 90%.
 
A federal appeals court has cleared the way for a class-action lawsuit to proceed against grocery chain Hannaford Bros. over a 2007 data breach that exposed millions of customers' credit and debit cards.
 
Looking beyond graphics processors, Nvidia is looking to push future Tegra chips into servers as the chip maker tries to break Intel's dominance in that market.
 
Zions Bancorporation has set up a massive repository for proactively analyzing a combination of real-time security and business data in order to identify phishing attacks, prevent fraud and ward off stealthy hacker incursions known as advanced persistent threats.
 
Researchers in Germany have demonstrated weaknesses in the W3C XML encryption standard used to secure websites and other Web applications.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Linux Kernel 'taskstats' Access Restriction Local Security Bypass Vulnerability
 
Japan's largest defense contractor backpedaled yesterday, saying it's possible some secrets had been stolen by hackers who broke into the company's network and planted malware in August.
 
John McCarthy, one of the fathers of artificial intelligence, died Sunday. He was 84.
 
Workday unveiled upcoming versions of its cloud-based ERP (enterprise-resource-planning) software on Tuesday during an event in Las Vegas, and in the process fired a warning shot across the bow of the likes of Oracle and SAP.
 
QEMU 'scsi_disk_emulate_command()' Function Local Denial of Service Vulnerability
 
Google paid out a record $26,511 in bug bounties to researchers who reported some of the 18 Chrome vulnerabilities patched today.
 
A new variant of the DroidKungFu Android Trojan is posing as a legitimate application update in order to infect handsets, according to security researchers from Finnish antivirus vendor F-Secure.
 
Google's Chrome contains a critical vulnerability that under certain circumstances allows attackers to plant malware on a Windows PC, a security company said last week.
 
An upcoming version of U.S. legislation designed to combat copyright infringement on the Web may include provisions that hold online services such as Twitter, Facebook and YouTube legally responsible for infringing material posted by users, according to one group opposed to the bill.
 
zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability
 
Re: jara 1.6 sql injection vulnerability
 
[SECURITY] [DSA 2328-1] freetype security update
 
Networking pros are among the top five tech professionals that companies want to hire, according to Robert Half Technology.
 
IBM today said it was rolling out software that will help doctors and insurance companies reduce costs by better analyzing and managing huge amount of patient data.
 
Spammers have created their own services to shorten URLs (uniform resource locators) in an apparent attempt to circumvent security measures in place at well-known shortening websites, according to Symantec.
 
A large majority of tablet computer users still want to read news content for free, according to the results of a Pew Research Center's Project for Excellence in Journalism and The Economist Group survey.
 
RETIRED: SAP Management Console OSExecute Remote Code Execution Vulnerability
 
[ GLSA 201110-22 ] PostgreSQL: Multiple vulnerabilities
 
[ GLSA 201110-21 ] Asterisk: Multiple vulnerabilities
 
[SECURITY] [DSA 2327-1] libfcgi-perl security-update
 
Slow Sprint network performance with the new iPhone 4S has led customers to consider returning the Apple devices before Friday when Sprint's early termination fee of up to $350 takes effect.
 
In addition to using Dell's Boomi integration service to move data from one cloud to another, users of the service can now also create simple business rules to reroute data to different locations, the company announced Tuesday.
 
Microsoft on Tuesday unveiled the latest version of its Dynamics CRM software, which adds some social software functionality and closer ties to Office 365.
 
phpLDAPadmin 'functions.php' Remote PHP Code Injection Vulnerability
 
As many as 5,000 workers at the U.S. Department of Energy's Idaho National Laboratory will be the latest government workers to start using Google Apps.
 
Software giant Oracle is acquiring RightNow Technologies Inc. for $43 a share, or a total of about $1.5 billion, to expand its Internet-based offerings and offer a challenge to customer relationship management powerhouse Salesforce.com.
 
Most of us have to generate recurring reports for the state of security, system uptime or general performance at our respective work places.

Solid, clear reports many not appear to be one of the foundations that security is built on, but many voices would strongly disagree and management is usually one of them. You have to clearly report on data, trends, issues and events from reasons ranging from simple best practice diligence to justifying the reason IT security is critical the your business and everything in between. Good reporting won these were all from the private sector, so I haven't reviewed any government or public sector reports but the theory is hopefully the same.
Rather than suggest some sort of universal template to fit every situation, I've observed applying the concepts of these four words to reporting. Using these concepts correctly just made being able to effectively understand and absorb the information so much easier:


Clarity
Consistency
Concise
Colourful



Heres my interpretation, from hours of wading through those reports, to avoid your next report being used to test the speed of the office shredder.
Clarity
Know you audience and write the report for them so apply the correct level of terminology, detail and as general groups think: your peer group, your boss, management or the general public.

No weird or wacky fonts. I have no issue with standard bolding, italics or large cases but gothic or super fancy fonts are distracting and slow the flow of reading.

Try to avoid jargon and the dreaded, unexplained three-letter acronym (TLA) as well. I spent an hour attempting to work out what ARE, ARM, POP and HIS meant and despite some pretty good guesses was completely wrong. The author had some team-only terminology of bespoke systems, so I may have well played on a lottery instead.

Avoid complex language and stick to plain language and terms, if possible. I do enjoy attempting to slip defenestration in to certain reports, but if the reader has to look up the word it loses that wit Reports arent about showing off, so keep the language practical and uncomplicated.
Consistency
How can someone review previous or future reports without the same points of reference? Using the same template, with the same headings for the same recurring report makes it a breeze to see trends and the reader gets use to what to expect to see.

If you are using tables or charts keep using the same data, not random facts and figures. Keeping people guess what might be on next month report is an interest approach, but one that much force them to form a that doesnt make any sense and but, but the last report does mention this lynch mobs.
Concise
As technical people we love the details, but those recurring reports many not want every bit of detail, so summarise. You can refer to data, but sixteen pages of eight point, densely compresses text of server alerts messages is hard to read, let alone understand.

Keep away from using opening statements that could come from a novel It was a dark and cold night. The winds were howling. Lightening forked wickedly across the skies, spearing the landscape surrounding the datacentre. With a final, silence choked gasp the UPS failed, mere seconds before the haggard night shift crew took their seats. UPS failure at datacentre X 23:45 really covers that more effectively.
Colourful
This isnt a reference to fruity language, although a smattering of four letter words will get the readers attention butfor all the wrong reasons. Im, of course, meaning those eye catching images stuffed in to reports to make assimilating complex data simple and quick. Have to be a bit careful with this, but good use of colour in tables or charts can draw in the reader. Well executed charts and tables can make absorbing complex data much easier and get across points very quickly. Use clashing colours or, just as bad, tones that blend in together making impossible to work out whats happening are annoying and distract from the readers ability to understand the report ordrain thewill to continue through it.

Wrapping up, take pity on those youre writing a report for and try to avoid making it one of those government forms Ph.Ds struggle to comprehend. A book that I really enjoyed reading was from Jon Moon [1], an English author, who is determined to rid the world of confusing, poorly written paper work of all ilks.

For those wondering well what should they could be writing these reports on have a look through SANS critical security controls [2], which my fellow handlers have spent this month expanding on and turn the points in to items to report back on about your environment.


As always, if you have any suggestions, insights or tips please feel free to comment.

[1] http://www.jmoon.co.uk/book.cfm

[2] http://www.sans.org/critical-security-controls/
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A newly released denial-of-service (DOS) tool can be used to bring down SSL servers using an average laptop computer and a standard DSL connection.
 
Groupon's China venture posted a net loss of $46.4 million for the past nine months, generating only $2.1 million in revenue as it fights to gain dominance in the country's highly competitive group buying market.
 
At EMC's recent user forum, president and chief operating officer Pat Gelsinger expounded on EMC's plans to enter the application server hardware market and begin porting VMware virtual machines onto storage arrays. Gelsinger also said EMC didn't want its 10-year partnership with Dell to end.
 
Ready or not, big data is coming. Here are 5 things IT managers can do today to prepare for the data deluge of tomorrow.
 

Posted by InfoSec News on Oct 24

http://www.stripes.com/news/cyberwarfare-joins-the-curriculum-at-service-academies-1.158642

By Chris Carroll
Stars and Stripes
October 24, 2011

WASHINGTON -- A cyberattack took place recently in a darkened classroom
at the U.S. Naval Academy.

The target was a computer demo a set up by Ensign Justin Monroe, a
recent academy graduate who was instructing first-year midshipmen on the
basics of website attack and defense.

But someone in the...
 

Posted by InfoSec News on Oct 24

http://www.thejakartaglobe.com/home/intrepid-gardener-causes-security-scare-at-asean-air-show/473825

By Made Arya Kencana
The Jakarta Globe
October 25, 2011

Nusa Dua, Bali - Nyoman Minta is anything but a terrorist. He is a
gardener.

But he caused an embarrassing incident on Monday when he pushed his
bicycle near a podium where President Susilo Bambang Yudhoyono and
guests were seated, carrying a large plastic bag on his bike.

Presidential...
 

Posted by InfoSec News on Oct 24

http://www.jpost.com/NationalNews/Article.aspx?id=242957

By JPOST.COM STAFF
10/24/2011 13:16

A contract worker from the Ministry of Labor and Welfare was charged
with stealing the personal information of over 9 million Israelis from
the Population Registry, the Justice Ministry announced Monday after a
media ban was lifted.

The worker electronically copied identification numbers, full names,
addresses, dates of birth, information on family...
 

Posted by InfoSec News on Oct 24

http://www.networkworld.com/news/2011/102411-cyber-insurance-252145.html

By Lamont Wood
Network World
October 24, 2011

Heartland Payment Systems figured it was in pretty good shape when it
took out a $30 million cyber insurance policy. Unfortunately, the credit
card transaction processor was the victim of a massive data breach in
early 2009 that resulted in losses estimated at $145 million. The
insurance company did pay Heartland the $30...
 

Posted by InfoSec News on Oct 24

http://gcn.com/articles/2011/10/24/fbi-official-alternate-internet.aspx

By Kathleen Hickey
GCN.com
Oct 24, 2011

The United States needs an alternate, transparent, restricted Internet
if it is to secure the critical systems that handle such things as
utilities and financial transactions, an FBI official says.

Shawn Henry, the bureau’s executive assistant director, speaking at the
International Systems Security Association conference...
 

Posted by InfoSec News on Oct 24

http://www.computerworld.com/s/article/9221163/FCC_unveils_tool_to_help_small_businesses_plan_for_cyberattack

By Nancy Gohring
IDG News Service
October 24, 2011

With hackers increasingly setting their sights on small businesses, the
U.S. Federal Communications Commission said Monday it will provide an
online tool to help those businesses develop a cybersecurity strategy.

The Small Biz Cyber Planner will ask a series of questions such as...
 

Posted by InfoSec News on Oct 24

http://www.nextgov.com/nextgov/ng_20111024_7468.php

By Aliya Sternstein
Nextgov
10/24/2011

The Commodity Futures Trading Commission is searching for a phone
hacking tool to investigate suspects' mobile devices for evidence of
links to Ponzi schemes, insider trades and other illicit dealings.

With Americans' increasing reliance on smartphones, evidence of fraud
often can be found in phonebook contacts, call history logs, text...
 
Internet Storm Center Infocon Status