As you probably have seen from previous posts, Terraform as a technology has peaked my interest. Luckily for me, safaribooks put on a 3-hour course on this very topic. The course was presented by Yevgeniy Brikman and it was very well done!
What I liked?
The presenter was absolutely awesome. Very knowledgeable and what I liked was the presentation went quickly from the basics to some of the more advanced terraform concepts. He talked about some issues that I ran up against when I was using terraform. For example, he touched on how he does credential management from both local servers and build servers. He also talked about how he organizes his tf files and how he integrates modules into his workflow. Finally, I really liked the project he showed at the end for using go to "test" your terraform scripts in an automated fashion.
What I didn't like?
The O'Reilly platform requires flash to get the audio. Wow, #howisthisstillathing ?
I am really liking terraform and it's ability to deploy resources cross-platform. I am hoping to experiment more with it to see how I can bring this technology to my clients. If you are interested in the course, I think there is another one coming up in a few weeks. Check out https://www.safaribooksonline.com/live-training/courses/managing-infrastructure-as-code-with-terraform/0636920103172/ for more info.
Showing posts with label Courses. Show all posts
Showing posts with label Courses. Show all posts
Wednesday, October 11, 2017
Sunday, October 9, 2016
SANS 504 Notes - Containment/Eradication/Recovery
Notes
From an Azure point of view, at least in the IaaS sense, most of the techniques described here are similar. Of course, there is limited access to the networking logs, so one would have to get creative with that part. NSGs offer some diagnostic logs, but not as detailed as we would require. Windows firewall logs might be of use, but once again, doesn't show enough information regarding successful connections.
Containment could be as simple as deleting the NIC from an IaaS machine, or placing a NSG around that particular VM limiting it's access to the network.
Eradication and Recovery for IaaS are almost the same as on-prem. In certain cases, depending on how you have your systems configured, a better approach is to rebuild from latest image + DSC for the application. You could also be restoring from Azure Backup or a 3rd party backup tool.
- Containment
- need to stop the bleeding
- phase after an incident is declared
- consists of short-term containment, system back-up, and long-term containment
- First step, record incident details
- category
- criticality
- sensitivity
- Follow notification procedures based on incident details
- notify IR team
- notify management
- notify business units
- create / log IR ticket in appropriate system
- Initial Analysis
- remember, attacker might be watching for signs of IR, so be stealthy if you can
- Short-Term Containment
- prevent further damage, but try to keep the system intact
- best case, network changes to isolate the system
- worst case, pull the power (lose volatile memory)
- Deploy tracking files (WordWebBugs) to track data transit
- Might need to coordinate with ISP
- System back-up
- If possible, create a forensic image
- acquire logs and review, check neighboring systems
- Long-term Containment
- generally required if you cannot turn off / repair / patch machine in a timely manner
- lots of techniques, mostly around changing trust relationships, etc of the running system
- During containment, be careful to jump to conclusions on who/what/when happened
- take detailed notes, but don't make assumptions
- Eradication
- two main goals
- remove attacker artifacts
- determine entry point
- virus scanning, rootkit detection, rebuild from a zeroed drive
- Improve defenses based on understanding the entry point
- perform vulnerability analysis
- Recovery
- decide when to restore, keep in mind business priorities
- monitor systems once they are put back in production
- build a script to check for initial attack vector (or for artifacts of the attacker) to return
From an Azure point of view, at least in the IaaS sense, most of the techniques described here are similar. Of course, there is limited access to the networking logs, so one would have to get creative with that part. NSGs offer some diagnostic logs, but not as detailed as we would require. Windows firewall logs might be of use, but once again, doesn't show enough information regarding successful connections.
Containment could be as simple as deleting the NIC from an IaaS machine, or placing a NSG around that particular VM limiting it's access to the network.
Eradication and Recovery for IaaS are almost the same as on-prem. In certain cases, depending on how you have your systems configured, a better approach is to rebuild from latest image + DSC for the application. You could also be restoring from Azure Backup or a 3rd party backup tool.
Sunday, October 2, 2016
SANS 504 Notes - Identification (Azure VM analysis)
In this section I'll detail out my notes on the identification part of SANS 504. I'll also have a look at a brand-new Azure VM and have a look at what is running.
Notes
- Identification is everyone's job
- Consider all the sources you can use to identify / detect an incident
- help desk
- firewalls
- IDS/IPS
- log alerting software
- anti-virus
- end users
- Consider the identification areas
- network perimeter
- host perimeter
- system-level
- application-level
- Incident handlers job to investigate an incident
- ensure all information provided is as current as possible
- send two handlers if possible (one to run the incident and one to maintain communications)
- set expectations up front around documentation and communication schedules
- ensure out-of-band communication channels are open (fax/phone/etc)
- enforce a need-to-know policy, keep rumours at bay
- Handlers need to have an understanding of a baseline of a system to look for differences
- SANS has published windows/linux cheat sheets that give some basic commands for initial investigation
- Things to look for
- Unusual process/services
- Unusual files
- Network usage
- Scheduled tasks
- Accounts
- Log entries
- Other unusual items
- Handler has to know when to declare an incident
- Don't fear to report early, worst case incident becomes a training event
- Need to do proper investigation on an event
- check for simple mistakes
- "what other possibilities are there"?
- Determine how much damage has been caused
- risk of the systems affected (and the reach)
- complexity of the attack (script kiddie vs real hacker)
- remote exploit?
- See https://zeltser.com/security-incident-questionnaire-cheat-sheet/ for more info
- Remember to maintain chain of custody and take good notes
Looking at a new Azure VM based on template
In this section I'm going to use some commands from the windows cheat sheet to have a look at a net new Azure VM.
The first is a look at the running services in an Azure VM.
 |
| Azure VM - Running Services |
A couple of interesting things to note:
- Hyper-V services are installed, dead give away of the hypervisor technology in use
- Azure services (Guest/Telemetry) are enabled by default
Now let's have a look at which features are installed by default.
 |
| Azure VM - Installed Features |
A pretty small set of features is installed. Most are required because I am running a GUI and not a nano/core install. It has been a long time since I've installed/used a windows server not on Azure, so I'm not sure what the base feature set is. There are some interesting ones such as "Enhanced Storage".
Next, let's have a look at network connections.
 |
| Azure VM - Network Services |
Looks like by default my Azure VM is talking out to the internet. Curious, wonder what that could be.
Process ID - 1972 = WindowsAzureGuestAgent
Process ID - 2844 = WaAppAgent
IP Address 168.63.129.16 = http://whatismyipaddress.com/ip/168.63.129.16
IP Address 40.78.112.72 = http://whatismyipaddress.com/ip/40.78.112.72
The second address appears to be a link to the storage stamp associated with this VM. The first, based on the waappagent logs, appears to be the fabric address.
 |
| Azure VM - WaAppAgent Logs |
Okay, cool cool. Good to know that I need those connections and, further, that they are persistent even after initial setup. This is obviously only true if you have installed the guest agent. You can choose to opt out of this install.
Lastly, lets have a look at the scheduled tasks that have triggers and are not disabled.
 |
| Azure VM - Scheduled Tasks |
There are probably a few other things we could check. According to the cheat sheet, we should also have a look at large files in the system, registry keys, and local user/group memberships. I'll leave that as an exercise to the reader :)
Friday, September 30, 2016
SANS 504 Notes - Process/Preparation
Well, my GCIH certification is up for renewal this year. This time, since it has been a while since I've reviewed this material, I decided to redo the exam rather than the alternate renewal options. As such, I'll be starting a series of notes for the SANS 504 course notes. I remember taking this course way back when, it is a super exciting course and I highly recommend it. It gives a good base on how to run an Incident and the steps involved. Ultimately, the tools discussed in this course are real world, and give a ton of insight into how to defend networks/systems against them.
This post will be some points in the first section, around the incident handling process and the preparation phase.
This post will be some points in the first section, around the incident handling process and the preparation phase.
- What is incident handling
- an action plan for dealing with the misuse of computer systems and networks
- generally a set of written policies and procedures that outline what to do when an incident occurs
- Pre-planning of response parameters/controls/scope
- An incident refers to an adverse event in an information system or network
- implies harm or the attempt to do harm
- contrast to an event, which is any observable occurrence in a system or network
- Ultimately, the definition of which events are classified as an incident is up to the handler and the company
- Think of incident handling as first aid
- incident handlers need a easy method to follow under pressure to resolve issues
- Core Stages: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
- Preparation Phase
- The WHY: You need to enable the enterprise, both technically and from a people perspective, to respond to incidents.
- People
- Focus on training (sometimes reoccurring training)
- Test user and the team often
- fake incidents
- social engineering attacks
- Establish communication mechanisms (easy to use) for end users to report suspicious activities (TSA: See something, say something policy)
- Coordinate with helpdesk staff (they are often the first line of defense against this)
- establish training plans
- Policy
- Policy should be established
- in general
- consequences of insider actions
- share information with authorities (or not)
- peer notification
- understand breach laws
- Warning banners allow for lawful recording of actions (also serves to remind users, like airline safety training)
- Get management buy-in and delegation of authority to the incident response teams
- Notes
- maintain excellent notes, preferably in written form on notebooks
- understand the chain of custody requirements and follow procedures
- Management Support
- work to achieve management buy-in
- show quarterly reports on incidents
- Building A Team
- aim for a multi-disciplinary team
- technical domains (server, network, storage, forensics, etc)
- Non-technical domains (marketing, law, public affairs, etc)
- Establish roles if no specific members exist and assign the responsibility to someone
- Conduct routing training and testing with the team
- many online resources (counterhack challenges)
- conduct sessions on log reading, etc
- Establish appropriate compensation plans (work times, etc)
- Establish response times, response locations
- Might need a command post (secure location to sore files and hold meetings)
- Remote people may be required to be the "techie on site"
- Establish a budget for the team ahead of time (no need to seek approvals to spend during an incident)
- Checklists
- Have a firm understanding on how to rebuild systems from known good backups or from scratch
- Emergency communication Plan
- Create a call list, test this call list
- identify requirements for secured communication channels (ahead of time)
- Granting access
- have an access strategy in place for incident response team members to access critical systems and data
- Jump Bag
- thing about the things you will need in an incident
- Tailor this to your environment
- Technology: Gold images, rootkit checkers, debugging tools, forensic tools
- People: clothing, medications, food, etc
- Other things: cd/usb/media, jumpers, extra harddrives, taps, laptop with multiple OS, call list, cell phones with extra batteries
Thursday, May 19, 2016
MS 70-534: Architecting Microsoft Azure Solutions - Certified
Continuing with the writing of MS exams, I just passed 70-534. I found this exam easier than the 532 exam. While it does focus on a broad range of subjects, there seems to be little focus on some of the newer technologies such as service fabric, or other ones such as security center, etc. I understand that some of those technologies are still in preview, but it is shocking how out of date some of these exams can be.
Good luck if you plan on writing it.
Good luck if you plan on writing it.
Friday, February 12, 2016
MS 70-532: Developing Microsoft Azure Solutions - Certified
I finally decided to take my first Microsoft exam, and aimed for 70-532. The content is pretty comprehensive, with the standard focus on memorization of terms / commands, etc. I did like how it covered multiple technologies from webapps/webjobs to redis cache and CDNs. You really need to have a good understanding of how those systems work to pass the course!
Have fun!
Have fun!
Sunday, November 22, 2015
Course Review: Security in a Cloud-Enabled World
Just recently released, I decided to spend some time watching "Security in a Cloud-Enabled World" on MVA.
Overall I thought it was a pretty good course, although not what I expected it to be. The course was broken down into 2 sections, the first focusing on Microsoft's role as a Trusted cloud provider and the second being a list of roadmaps that should be considered when clients chose a cloud provider to host their solutions.
Here are a couple of points I made about the course:
1) It is good to get validated on what I am currently doing. When I engage as an SA on a project, I review many aspects of the roadmaps outlined in this course. This is good validation that I am on the right path.
2) If you want to skip several hours of boring content, just read the poster and do the quizzes.
3) I am not a big fan of using "user reviews" when judging how secure a cloud provider or solution is. In the second module, many references to how users perceived the security/availability of their solutions in the cloud. Most, as you could expect, were favorable of the cloud. While interesting material, it has been well documented that security is a lemons market. While I am not saying that Azure's security stance is bad, I do think that ultimately it is very difficult for customers or end users to make even an educated guess on the subject.
4) There was an inherent lack of focus on how to do things in Azure. While I guess that wasn't the point of the course, I think that this material needs to be covered somewhere. In one module, the presenter talks at length about access to the administrative consoles. Some info is provided on MFA and about how to configure subscriptions for security, but no info is presented on how to audit these admin accounts, control these admin accounts, tie these admin accounts to PAM toolsets, etc. I think there is a lot of room for content like this.
Overall it was a good course. It was well structured, and provides a good framework for review when designing out cloud solutions.
Overall I thought it was a pretty good course, although not what I expected it to be. The course was broken down into 2 sections, the first focusing on Microsoft's role as a Trusted cloud provider and the second being a list of roadmaps that should be considered when clients chose a cloud provider to host their solutions.
Here are a couple of points I made about the course:
1) It is good to get validated on what I am currently doing. When I engage as an SA on a project, I review many aspects of the roadmaps outlined in this course. This is good validation that I am on the right path.
2) If you want to skip several hours of boring content, just read the poster and do the quizzes.
3) I am not a big fan of using "user reviews" when judging how secure a cloud provider or solution is. In the second module, many references to how users perceived the security/availability of their solutions in the cloud. Most, as you could expect, were favorable of the cloud. While interesting material, it has been well documented that security is a lemons market. While I am not saying that Azure's security stance is bad, I do think that ultimately it is very difficult for customers or end users to make even an educated guess on the subject.
4) There was an inherent lack of focus on how to do things in Azure. While I guess that wasn't the point of the course, I think that this material needs to be covered somewhere. In one module, the presenter talks at length about access to the administrative consoles. Some info is provided on MFA and about how to configure subscriptions for security, but no info is presented on how to audit these admin accounts, control these admin accounts, tie these admin accounts to PAM toolsets, etc. I think there is a lot of room for content like this.
Overall it was a good course. It was well structured, and provides a good framework for review when designing out cloud solutions.
Friday, July 24, 2015
SABSA Chartered Security Architect - Foundation Certificate Achieved!
A few months ago, I decided to attend SABSA training. For a while, it had been something on the radar. I wanted to find a good, recognized certification that spanned both architecture and security. SABSA fits the bill quite perfectly.
The course I attended was taught in Winnipeg of all places, and lead by the great Michael Legary. Due to some administrative problems on a client end, there ended up being only 2 of us in the course. This worked out great as we were able to explore in more detail the various sections and really work to apply the concepts to our current positions. From a professional services perspective, I was interested in how to apply these concepts to our project delivery. SABSAs focus on creating controls/solutions that are both traceable and justifiable in business context is, in my opinion, critical to the success of any project.
In case, at this point, you are wondering what SABSA actually is, please allow me to fill in some details.
SABSA stands for Sherwood Applied Business Security Architecture. It is a methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures. It is comprised of a number of frameworks, models, methods and processes.
The SABSA methodology focuses on delivering the following features:
- It is business-driven in nature
- It is risk focused (both from a threat and opportunity standpoint)
- It is comprehensive (and thus can be scaled from point areas to enterprise wide)
- It is modular (you don't have to big-bang this approach)
- It is open source (well, kinda ;) )
- It is auditable (this is the entire point, justify what you are doing)
- It is transparent (two-way traceability)
There is a ton to SABSA. If you are interested in finding out more, please take a gander at the SABSA Whitepaper (registration required).
One thing I will say, it was a TOUGH exam. I think the level of abstractions that are dealt with in enterprise architecture are hard to grasp over the course of 5 days. I look forward to spending a significant amount of time digesting the course material and integrating it into my day job.
The course I attended was taught in Winnipeg of all places, and lead by the great Michael Legary. Due to some administrative problems on a client end, there ended up being only 2 of us in the course. This worked out great as we were able to explore in more detail the various sections and really work to apply the concepts to our current positions. From a professional services perspective, I was interested in how to apply these concepts to our project delivery. SABSAs focus on creating controls/solutions that are both traceable and justifiable in business context is, in my opinion, critical to the success of any project.
In case, at this point, you are wondering what SABSA actually is, please allow me to fill in some details.
SABSA stands for Sherwood Applied Business Security Architecture. It is a methodology for developing business-driven, risk and opportunity focused enterprise security & information assurance architectures. It is comprised of a number of frameworks, models, methods and processes.
The SABSA methodology focuses on delivering the following features:
- It is business-driven in nature
- It is risk focused (both from a threat and opportunity standpoint)
- It is comprehensive (and thus can be scaled from point areas to enterprise wide)
- It is modular (you don't have to big-bang this approach)
- It is open source (well, kinda ;) )
- It is auditable (this is the entire point, justify what you are doing)
- It is transparent (two-way traceability)
There is a ton to SABSA. If you are interested in finding out more, please take a gander at the SABSA Whitepaper (registration required).
One thing I will say, it was a TOUGH exam. I think the level of abstractions that are dealt with in enterprise architecture are hard to grasp over the course of 5 days. I look forward to spending a significant amount of time digesting the course material and integrating it into my day job.
Tuesday, April 8, 2014
CCSK Certified!
After dragging my feet for a long time, I finally decided to write the CCSK.
It was a pretty comprehensive exam, but if you go through the two documents, you should be fine. I found that I finished the exam in about 30 minutes and had about an hour to go over the questions again. In my initial attempt I skipped about 10 questions.
The biggest problem I found was the wording of some of the questions. I found reading out-loud helped a lot as there are some subtle things to watch out for.
In any event, passed with 88%! Time to take the rest of the week off!
It was a pretty comprehensive exam, but if you go through the two documents, you should be fine. I found that I finished the exam in about 30 minutes and had about an hour to go over the questions again. In my initial attempt I skipped about 10 questions.
The biggest problem I found was the wording of some of the questions. I found reading out-loud helped a lot as there are some subtle things to watch out for.
In any event, passed with 88%! Time to take the rest of the week off!
Friday, March 8, 2013
SFCP Certified!
Well, I just wrote my SFCP exam and am proud to say that I am now SFCP certified for v5.1.1.
Time to tackle the world... maybe.
Time to tackle the world... maybe.
Saturday, July 30, 2011
Course Review: ITIL v3 Foundations
The company that I work for is in a transitions phase. One of the big things that they are trying to do is implement more ITIL processes inside of IT. With this, they have sent off the permanent IT staff to ITIL v3 foundations training.
ITIL is a buzz word in the industry and has been since v3 was released (2007?). Those companies that practice in the art form known as "certification shopping" have long weeded out any resumes that do not contain the precious ITIL buzz word.
I quite enjoyed the course, although it was very high level and dry. Our instructor was exceptional, however, which made for some interesting discussions in this 3 day course. I view ITIL training (at least at the foundations level) more a training on language than any specifics in the IT industry. The foundations course main focus is to establish a baseline of knowledge and terms that can then be used by people to communicate effectively. If you don't know the ITIL definition for a function, for example, you would be pretty lost in a conversation about it. Furthermore, you'd probably find it quite hard to get a good idea of your job role if it was described solely in ITIL terms.
In any event, it was a course worth taking. I definitely learned something out of it, even if it was just the terms ITIL uses to describe the best practices in use today.
ITIL is a buzz word in the industry and has been since v3 was released (2007?). Those companies that practice in the art form known as "certification shopping" have long weeded out any resumes that do not contain the precious ITIL buzz word.
I quite enjoyed the course, although it was very high level and dry. Our instructor was exceptional, however, which made for some interesting discussions in this 3 day course. I view ITIL training (at least at the foundations level) more a training on language than any specifics in the IT industry. The foundations course main focus is to establish a baseline of knowledge and terms that can then be used by people to communicate effectively. If you don't know the ITIL definition for a function, for example, you would be pretty lost in a conversation about it. Furthermore, you'd probably find it quite hard to get a good idea of your job role if it was described solely in ITIL terms.
In any event, it was a course worth taking. I definitely learned something out of it, even if it was just the terms ITIL uses to describe the best practices in use today.
Saturday, June 11, 2011
Course Review: Developing Application for the Java EE Platform
Last year, I was still doing a lot of java stuff at my current position. Most of my Java knowledge (as I'm sure is true of most java developers) had been organically grown via many online tutorials, blog posts, tool documentation, and looking at old code. The latter is probably one of the best and worst ways to learn a language.
I really struggled in trying to understand how all the different java components fit together. Sure, I could create a web.xml, but how did it all really work? I wanted to learn more about the specifications that drive the Java platform. With this goal in mind, I took the course Developing Application for the Java EE Platform from Oracle university.
The course had many cons, but I did learn a thing or two.
Cons:
1) The electronic voice that you hear while navigating through this course is truly brutal. You learn very quickly that there is a transcript button, where you can read exactly what the "voice" is saying. There is also a mute button, a must find in the first couple of minutes. I swear that Oracle should pay a dollar for every time you have to hear " or navigate by using the tab and spacebar keys".
2) No course notes. I really really like going back later on and reviewing course notes, especially for reference. With the SANS courses, you get course notes with all the slides and some of the "transcript". Really helpful for when you are trying to master skills later on.
3) Very high level. The course was designed as more of an intro course, so I knew what I was getting into. I found the course didn't really focus on how to do things, or common ways a developer would take advantage of the various (and I mean various) Java specifications. For example, it is great to know that JAXB is an architecture for xml binding, but what do you do with it? What are some common implementations?
4) Session timeout. The player would still function (if say, you were within a module and just clicking the next button) even if you had your session timed out. This was great as I could start a section and then leave to go do something. I would come back to find the player still functional and assume that my session was still valid. I would click through the rest of a module and finish only to find that my session was timed out and that I would have to redo everything I just did. It was pretty frustrating because of the next point.
5) Complete means clicking through every page. Yawn.
Pros:
1) Lots of good information from the "source". It is one thing to read some tutorial on how to do things, and another to actually read about what the specification is actually supposed to do.
Overall, I learned a fair bit from this course, even if it was just solidifying what I already knew. I'm not sure I would take another oracle course as the delivery format was really hard for me to deal with.
I really struggled in trying to understand how all the different java components fit together. Sure, I could create a web.xml, but how did it all really work? I wanted to learn more about the specifications that drive the Java platform. With this goal in mind, I took the course Developing Application for the Java EE Platform from Oracle university.
The course had many cons, but I did learn a thing or two.
Cons:
1) The electronic voice that you hear while navigating through this course is truly brutal. You learn very quickly that there is a transcript button, where you can read exactly what the "voice" is saying. There is also a mute button, a must find in the first couple of minutes. I swear that Oracle should pay a dollar for every time you have to hear " or navigate by using the tab and spacebar keys".
2) No course notes. I really really like going back later on and reviewing course notes, especially for reference. With the SANS courses, you get course notes with all the slides and some of the "transcript". Really helpful for when you are trying to master skills later on.
3) Very high level. The course was designed as more of an intro course, so I knew what I was getting into. I found the course didn't really focus on how to do things, or common ways a developer would take advantage of the various (and I mean various) Java specifications. For example, it is great to know that JAXB is an architecture for xml binding, but what do you do with it? What are some common implementations?
4) Session timeout. The player would still function (if say, you were within a module and just clicking the next button) even if you had your session timed out. This was great as I could start a section and then leave to go do something. I would come back to find the player still functional and assume that my session was still valid. I would click through the rest of a module and finish only to find that my session was timed out and that I would have to redo everything I just did. It was pretty frustrating because of the next point.
5) Complete means clicking through every page. Yawn.
Pros:
1) Lots of good information from the "source". It is one thing to read some tutorial on how to do things, and another to actually read about what the specification is actually supposed to do.
Overall, I learned a fair bit from this course, even if it was just solidifying what I already knew. I'm not sure I would take another oracle course as the delivery format was really hard for me to deal with.
Sunday, March 27, 2011
Course Review: SANS SEC542
Well it is that time again for another course review. This time it is SANS SEC542: Web App Penetration Testing and Ethical Hacking.
I personally found this course super interesting. I took it OnDemand via SANS (personally, the only way to do courses) and I greatly benefited from the insight provided by Kevin Johnson as well as extra time to do my own research into the tools and techniques mentioned in class. The following is going to be a summary of the core concepts that I learned from this course. If you have a chance to take it, I suggest you do. The insight and lab environment provided by SANS proves to be an effective learning tool.
Day 1: Attackers view of the web
The real purpose of this day is the ensure that everyone taking the class has a similar baseline of knowledge. This knowledge, of course, is what the rest of the course will build on. What I particularly liked about this part of the course was not so much the overview of TCP and the different types of authentication (basic/digest...) but how all of this was summed up into how the attacker views the different mechanisms that are used in security today.
The course goes into depth about the authentication techniques used today. For example, in Today's web, session state is everything. The course goes over the different ways that session state is persisted in a stateless protocol as HTTP is.
The course also talks about the different types of "testing", and which types will accomplish what. On a related note, I was recently asked a question about the difference between penetration testing and a security assessment. At the time, I kind of flubed the answer, but after reviewing my notes I would have to take the following stance. A penetration test is simply a matter of seeing "how far can you get". You can only truly know the risk of a vulnerability if you have fully explored how far you can take it. A security assessment, on the other hand, is more of a "try-and-find" type approach. The goal is not to find out how far a certain vulnerability can go, but rather, to figure out where the holes are and plug them.
The most important part of day 1, in my opinion, was the discussion of the attack methodology used. Since learning this methodology, I have learned that there are others than can be followed such as OSSTMM. Really, the methodology here is quite simple.
1) Recon : Research the target
2) Mapping: understand the target and it's surroundings
3) Discovery: look for vulnerabilities
4) Exploitation: launch attacks!!!
Day 2: Recon and Mapping
Recon as defined by the course simply means to research the target. In the day and age of things like Stackoverflow, recon has gotten more complex. Kevin tells the story of one assessment that he was doing where he actually used google and message boards to determine vulnerabilities in code. Coders like to post samples (especially when they have problems) on message boards looking for help. Kevin repeatedly says that the only advantage a company has over a hacker is the fact that they have access to the code. This really changed my mind on posting code samples on the internet. Most of the techniques and tools involved in Recon are general stuff. Just remember that you can use anything public facing to get an idea of what the company is using. Take for example, job postings.
Once you have your targets to hit, you can begin the mapping phase. Mapping generally goes in the following order:
1) Port Scan
2) OS Fingerprint & Version Scan
3) SSL analysis
4) Virtual hosting $ load balancer analysis
5) Software configuration Analysis
6) Spidering
7) Detailed Analysis.
Basically, you are trying to find out as much information about the target as possible. All this information could be things you could use during the next phases. For example, in (3) you could determine that the server allows for the NULL SSL key. Which basically means data is sent in the clear. You might be able to use this information during later phases. Another interesting aspect of mapping is (5). There are automated tools that you can use to help determine the configuration of applications running on the server. There are many tools that one can use in this space. They include
1) Nmap
2) P0F
3) HttpPrint
4) Nikto
5)WebScarab
One important step of mapping is to try and chart out the application itself. What pages link to others, etc.
Day 3: Server-Side Vuln Discovery
Basically this step involves probing the server to try and determine weakness in the application. The easiest way to accomplish this is by use of automated scanners. One should never rely on automated scanners to do all the work, however. Most of the day talks about manual ways to do discovery. Very very very interesting stuff.
1) w3af
Day 4: Client-Side Discovery
This day primarily focuses on the client side technologies used in modern day websites, and how one might be able to exploit them. One example I can remember clearly was talking about an AJAX shopping cart. General shopping carts have the following 4 steps.
1) Add an item
2) Subtotal
3) Charge credit card
4) Checkout.
Well what would happen if you ran all of these calls out of order? Would it work? You'd be surprised to know that not too long ago some major AJAX shopping carts had vulnerabilities like this.
This day goes into depth about AJAX, Web services, XPATH Injection and more.
Day 5: Exploitation
This day was by far the "fun" day out of the course. Here they talk about bypassing authentication. They talk about using your SQL Injection for bad. They talk about making zombies of browsers on the internal networks, and then using them to continue your attack. Really really neat stuff. I'm not going to into detail here.
Overall this was a great course. I think it has provided a solid foundation for me to build my skills on. I recommend this course for all developers who want to know how attacks are really done. Those people who say, so what ... sql injection... the database doesn't have anything useful on it, be warned... you are so wrong.
I personally found this course super interesting. I took it OnDemand via SANS (personally, the only way to do courses) and I greatly benefited from the insight provided by Kevin Johnson as well as extra time to do my own research into the tools and techniques mentioned in class. The following is going to be a summary of the core concepts that I learned from this course. If you have a chance to take it, I suggest you do. The insight and lab environment provided by SANS proves to be an effective learning tool.
Day 1: Attackers view of the web
The real purpose of this day is the ensure that everyone taking the class has a similar baseline of knowledge. This knowledge, of course, is what the rest of the course will build on. What I particularly liked about this part of the course was not so much the overview of TCP and the different types of authentication (basic/digest...) but how all of this was summed up into how the attacker views the different mechanisms that are used in security today.
The course goes into depth about the authentication techniques used today. For example, in Today's web, session state is everything. The course goes over the different ways that session state is persisted in a stateless protocol as HTTP is.
The course also talks about the different types of "testing", and which types will accomplish what. On a related note, I was recently asked a question about the difference between penetration testing and a security assessment. At the time, I kind of flubed the answer, but after reviewing my notes I would have to take the following stance. A penetration test is simply a matter of seeing "how far can you get". You can only truly know the risk of a vulnerability if you have fully explored how far you can take it. A security assessment, on the other hand, is more of a "try-and-find" type approach. The goal is not to find out how far a certain vulnerability can go, but rather, to figure out where the holes are and plug them.
The most important part of day 1, in my opinion, was the discussion of the attack methodology used. Since learning this methodology, I have learned that there are others than can be followed such as OSSTMM. Really, the methodology here is quite simple.
1) Recon : Research the target
2) Mapping: understand the target and it's surroundings
3) Discovery: look for vulnerabilities
4) Exploitation: launch attacks!!!
Day 2: Recon and Mapping
Recon as defined by the course simply means to research the target. In the day and age of things like Stackoverflow, recon has gotten more complex. Kevin tells the story of one assessment that he was doing where he actually used google and message boards to determine vulnerabilities in code. Coders like to post samples (especially when they have problems) on message boards looking for help. Kevin repeatedly says that the only advantage a company has over a hacker is the fact that they have access to the code. This really changed my mind on posting code samples on the internet. Most of the techniques and tools involved in Recon are general stuff. Just remember that you can use anything public facing to get an idea of what the company is using. Take for example, job postings.
Once you have your targets to hit, you can begin the mapping phase. Mapping generally goes in the following order:
1) Port Scan
2) OS Fingerprint & Version Scan
3) SSL analysis
4) Virtual hosting $ load balancer analysis
5) Software configuration Analysis
6) Spidering
7) Detailed Analysis.
Basically, you are trying to find out as much information about the target as possible. All this information could be things you could use during the next phases. For example, in (3) you could determine that the server allows for the NULL SSL key. Which basically means data is sent in the clear. You might be able to use this information during later phases. Another interesting aspect of mapping is (5). There are automated tools that you can use to help determine the configuration of applications running on the server. There are many tools that one can use in this space. They include
1) Nmap
2) P0F
3) HttpPrint
4) Nikto
5)WebScarab
One important step of mapping is to try and chart out the application itself. What pages link to others, etc.
Day 3: Server-Side Vuln Discovery
Basically this step involves probing the server to try and determine weakness in the application. The easiest way to accomplish this is by use of automated scanners. One should never rely on automated scanners to do all the work, however. Most of the day talks about manual ways to do discovery. Very very very interesting stuff.
1) w3af
Day 4: Client-Side Discovery
This day primarily focuses on the client side technologies used in modern day websites, and how one might be able to exploit them. One example I can remember clearly was talking about an AJAX shopping cart. General shopping carts have the following 4 steps.
1) Add an item
2) Subtotal
3) Charge credit card
4) Checkout.
Well what would happen if you ran all of these calls out of order? Would it work? You'd be surprised to know that not too long ago some major AJAX shopping carts had vulnerabilities like this.
This day goes into depth about AJAX, Web services, XPATH Injection and more.
Day 5: Exploitation
This day was by far the "fun" day out of the course. Here they talk about bypassing authentication. They talk about using your SQL Injection for bad. They talk about making zombies of browsers on the internal networks, and then using them to continue your attack. Really really neat stuff. I'm not going to into detail here.
Overall this was a great course. I think it has provided a solid foundation for me to build my skills on. I recommend this course for all developers who want to know how attacks are really done. Those people who say, so what ... sql injection... the database doesn't have anything useful on it, be warned... you are so wrong.
Sunday, February 20, 2011
Course Review: Crucial Conversations
So recently I found myself in my performance review. Everything I do is great. My work is done on time, and meets requirements. I constantly think ahead, incorporate new technologies to solve old problems, and think about the long term while building software. What I don't do very well is communicate with others. Hence my taking the crucial conversations course.
I found crucial conversations to be a great course/book. What I loved about it is how the techniques described in the book promote candid responses. They don't want you to flower things up. They want you to be direct, and to "know what you want". For example, say you rely on another member to get some work done. The work that they produced is either incomplete, or insufficient. You could go on a flame streak. You could insult them, degrade them. You could talk bad about them behind their back. You could do all of that. Or, you could step back, analyze what you really want, and approach the problem that way. You could say to yourself, I really want to get this work done (more than insulting), how can I have a conversation that will lead to the real goal?
Like most courses of this kind, the real focus is on you. You have to change the way you think. You have to know what you want, and keep that paramount in your mind while conversing. You have to master your stories. Everyone sees the "truth" through the lens of their experience. In your own mind, take the story you have created about an event and try to separate out fact from fiction. For example:
"The supervisor hired the recruit. The young man poured sand in the copier. The boss found out that the copier was broken and fired the new recruit."
Even just examine the above story. Did you think that the young man was the recruit? Did the story actually say that, or did you just assume that to be true? Is the boss the same person as the supervisor? Are you sure?
The one element that I really liked about the course was the tools they developed for actually having a crucial conversation. You have to follow the STATE rule.
S ==> Share your facts
T ==> tell your story
A ==> Ask for others' path
T ==> talk tentatively
E ==> encourage testing
I really suggest that you read the book (or take the course) as it does go into a lot of depth about how to deal with people. The tools provided will probably help you solve a lot of issues you may be dealing with in both the work and the personal life.
I found crucial conversations to be a great course/book. What I loved about it is how the techniques described in the book promote candid responses. They don't want you to flower things up. They want you to be direct, and to "know what you want". For example, say you rely on another member to get some work done. The work that they produced is either incomplete, or insufficient. You could go on a flame streak. You could insult them, degrade them. You could talk bad about them behind their back. You could do all of that. Or, you could step back, analyze what you really want, and approach the problem that way. You could say to yourself, I really want to get this work done (more than insulting), how can I have a conversation that will lead to the real goal?
Like most courses of this kind, the real focus is on you. You have to change the way you think. You have to know what you want, and keep that paramount in your mind while conversing. You have to master your stories. Everyone sees the "truth" through the lens of their experience. In your own mind, take the story you have created about an event and try to separate out fact from fiction. For example:
"The supervisor hired the recruit. The young man poured sand in the copier. The boss found out that the copier was broken and fired the new recruit."
Even just examine the above story. Did you think that the young man was the recruit? Did the story actually say that, or did you just assume that to be true? Is the boss the same person as the supervisor? Are you sure?
The one element that I really liked about the course was the tools they developed for actually having a crucial conversation. You have to follow the STATE rule.
S ==> Share your facts
T ==> tell your story
A ==> Ask for others' path
T ==> talk tentatively
E ==> encourage testing
I really suggest that you read the book (or take the course) as it does go into a lot of depth about how to deal with people. The tools provided will probably help you solve a lot of issues you may be dealing with in both the work and the personal life.
Subscribe to:
Posts (Atom)