Thursday, May 28, 2015

Answers to Questions from the nVisium SecCasts Panel

I was asked to be on on a panel for nVisium's SecCasts. Our episode should be out next week, so spoiler answers are below:

If readers/friends/community want additional details on something let me know.

Here are the answers to the questions I received ahead of time

- What security projects are you currently interested in?

* Still interested in metasploit.
* current things I'm working on is pentesting at scale and continuously.  Pentest tools aren't great for diffing results across scans with large numbers of hosts.  It can be a challenge identifying all of X in an environment then performing actions against it to test for vulnerabilities.
* osquery is pretty interesting

- What technologies are you currently looking into?

* Devops tools are really fun for me right now.  They are essentially botnet controllers...meaning they are designed to do a task against multiple machines quickly. Their security model leaves quite a bit to be desired. Their model is essentially, that if you can talk to the application you are trusted, which is horrible.

* AWS has tons of neat things that I want to start looking in to

* OSX exploitation

- What are some of the latest offensive security trends?

* Not sure this is necessarily a trend, but initial access vectors are always interesting to me. Especially as browser/memory corruption bugs are going away && they never ever work, pdfs/flash is better, default protections in office products, java has slowly been tightening the screws.  People will still open and run things but I wonder how that will look 5 years from now.

* The concepts in server side browsing talk by Nicolas Gregoire is also interesting to me

- How to use an internal RT in the best way
* continuous testing
* internal people have skin in the game
* understanding the environment a bit more in a mature or well monitored enviro
* breach assessments
* training for other teams
* not dropping problems on people and saying see ya
* work with SOC/NOC/incident responders/application owners

- What should defenders be concerned about or paying attention to?

* Establishing a baseline of what is normal network traffic wise, so you can alert on what is abnormal (not trivial)
* Effectively parsing tons of log data to create alerts on interesting events (not trivial)
* Creating a system that encourages users to report suspicious things and have a team that responds to those reports in a reasonable amount of time. If you don't respond (in a reasonable amount of time) this very much de-incentivizes users to report (easier to do--at least from a technical perspective)
* Know what you own and monitor it

- What areas should security folks be focused on in the next 3-4 years?

* How to make SSL/TLS, email encryption, 2fac more accessible to everyone
* Bridging the gap between recommendation to fix and execution of fixes (not trivial). we can do better with our recommendations. A lot of time we say stuff like, have better passwords or dont allow X but sometimes stopping X is really really hard, no one knows the best way to do it or its going to be a lot of work to do that. It can be overwhelming to fix. see it next year on your pentest.
* Engineering better tools for everyone to use. I'm SUPER guilty of releasing works for me code, but we need to do better about engineering good tools for more people to use

- Having worked both sides (offense and defense), has this changed your perspective? If so, how?

* Fixing is way harder than breaking.
* Mature companies should be purple teaming, Where the offensive guys sit with the defenders to iteratively improve over time.  Removing the adversarial relationship is key for internal teams to work together in a better way.

- What are your thoughts on the so called "stunt hacking" as of late and all the crazy branding behind vulnerabilities like shellshock, heartbleed, etc.

* Behind most stunt hacking is a really bug/vuln/exploit.  I don't want those to go away. I also understand that people/businesses want to get paid and also that researchers have no control over the *PR releases* that marketing puts out though. At Lares we didn't win a RFP because someone had written a tool, the person selecting the company to do the work based the final decision on that. so I guess marketing is necessary evil.  However I'm a believer in putting the full issue out there. Checkpoint's dealing with the misfortune cookie issue is a good example of how NOT to do things in my opinion. they had enough time to come up with fancy marketing materials and clever name for the issue but never released exploit code.  Without code, no exploit, no exploit people don't give a crap. its sad but true. And the fortune cookie issue is a prime example. no exploit for it, no one cares, problem isn't getting fixed. Cool catchphrase and logo + exploit code == stuff gets exploited, fixed, and awareness generated...much better.

- What is the security community getting right?
* We are doing better with responsible disclosure despite some companies really really sucking at working with researchers
* Volume of information being put out there via conferences & blogs...arguably too much

- Where could the community improve?
* Consistency of testing and reporting. PTES was an attempt at this but lots of work still to be done.

* Touched on it above. we give crap recommendations to clients.  We need to do better on our recommendations to fix problems. it sounds trivial but we bitch and moan about clients being too stupid to do what we tell them but we give them little to no resources to actually fix issues.  Free business idea is for PT companies to partner with companies that can/want to fix these issues like hardening routers or creating secure baselines or GPOs.  most pentest companies don't want to do this, another camp says its a conflict of interest. The fix is to at least have a few places companies can immediately turn to get some help if the pentesters company doesn't want to do it.

-Follow on by Rob: awareness trainings vs technical controls
* Mostly in agreement. Technical controls should be better to prevent more things that we say users should catch/report.  On the other hand, security awareness transcends work and moves into home computer usage, education of others, and ideally more awareness in the real world (think 419 scams, 3 card monty scams, people selling you stuff door to door, etc). Facebook's Hacktober carries value all year long  so the human element of social engineering can not be fully fixed by technology.

- Name the top 1-3 books you think every security person should read this year.

*The Phoenix Project by Gene Kim  to understand how devops can work in an enterprise but also so we don't become the security guy with the black binder in the book who is perceived as doing nothing but creating unnecessary work.
*Zero to One by Peter Thiel to understand what makes a good startup or idea (TLDR does the company solve a huge problem --aka go zero to one or does it just iterate on something somewhat solved). Its also a good way to see why companies in SV have some of the policies they have.
* No Place to Hide by Greenwald (and Snowden) -- why and how it all played out is interesting despite your feelings on the action itself.

- What are your favorite sites or resources for information, tools, etc.
* twitter
* blogs although it seems less and less people are blogging. Not sure where all that information is going
* NoVA Hackers

- What advice would you give a person entering the security field or who wants to get into it? 
* Don't
* Learn webapps
* Learn python/ruby/javascript
* Learn/have patience with clients. They aren't as smart as you (or as smart as you think you are) and have tons of other stuff to do besides fix the issues you found
* If solving puzzles doesn't interest you, pick something else.
* If you don't want to have to continually learn new things...FOR THE REST OF YOUR CAREER...pick something else.

- (Assuming not answered in the previous question) What value do you place on a college degree (in terms of entering the field)?
* Not required but there is something to be said for being a well rounded individual which the core/required classes they make you take in college attempt to make you learn.  From a life hacking perspective it has values as people automatically assume things based on having finished college or having a particular cert or having an MBA or whatever.  Not necessarily good or valid but it is what it is.

-What's your favorite US and non-US security conference and why?
* Troopers and BRUCON  but to be fair I haven't been to many EU cons and zero AP cons
Derbycon for US con. I actually don't go to that many cons anymore. I'd rather be home with the wife and kids

-Are you currently working on any security projects?
* Not that I can currently share but maybe soon.

-What are you general thoughts on crowdsource programs such as Bugcrowd or HackerOne?
* Bugs getting fixed is always good. However, I think the payouts are too low for most bugs.

-What recent research from the security community has excited you the most in the past year or has had tremendous impact (aside from Heartbleed)? 
* BIOS rootkits, GPU rootkits, tools/techniques the NSA uses that were disclosed by Snowden.

-Does the public really care about cybersecurity?
* They care about their dickpics getting leaked or can be seen by the NSA ( but otherwise no.  Plus check out the stock for TJ Maxx, Target, any of these healthcare companies. Its not affecting them long term.


No comments: