Multiple Thoughts on Multiple Security Issues

I'm too tired to put enough effort into several blog posts even though I really want to but next week is already looking painful so I'm going tho throw several different thoughts into this post.

First Thought: The CISSP CBK aint so bad...

After spending the last week explaining what I consider core security ideals to people that should know better, I found myself really feeling that a senior security person should understand those core ideals as a minimum level of competency. To be a keyboard guy, my opinion stands that CISSP not a measure of their ability, but I would expect a "hands-on" guy to know that material as well.

The latest TaoSecurity post mentions NIST 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) maybe I'll start recommending that.

Second Thought: What should a CxO know?

I'm new to the whole CxO thing, but shouldn't your CIO/CTO/CISO jobs understand the things from the first thought? I am thinking yes, they should have more than a PMP to make smart security decisions but I'd like some feedback on that. Like I said I'm new to that kind of environment. Alot of the people on the SBN that hold those positions seem to understand those concepts.

Third Thought: How do you fix a "porous" network?

By porous I mean more than one security hole at any one time and usually a LARGE security hole. Back to the first thought people seem to think if you can fix one problem the rest magically put themselves on hold while you fix that one and you can "catch up"...not! I am also new to real Incident Handling and Response (in the past I've been the guy getting to cause all the trouble) but I'm finding more and more holes and issues as we try to mitigate and fix the first issue. How do you make people understand that the problems dont stop coming in if you have poor network security or poor network design.

Fourth Thought: Initial feeling on SIMs

My initial take on Security Information Management devices are that they are great concepts. I'm starting to play with Cisco MARS and thus far I am impressed on what it SHOULD be able to do. I'll let you know later how well it does.

Fifth Thought: Another unauthenticated full remote MS exploit...SCORE!

I love bugs that are on the level of MS03-026, MS04-011, and MS06-040. Mass pwnage on pentests is awesome. I hope this new MS08-067 ends up being that bad (and the msf module comes out at some point). We need a new DCOM or LSASS exploit. I love it when we get proof that network security isnt dead.

Last Thought: Really more of a "what would you do/recommend"

In our fictional example you found pwdump on your Domain Controller (not put there by one of your admins) and the registry keys point heavily that its been run successfully and results have downloaded. What do you or recommend to the customer?

The book/draconian answer is wipe everything and start over. In people's experience is that a real option for a real network without the ability for mass downtime? Is a mass password reset considered enough of a mitigation?

Would appreciate input from the people out there on our fictional scenario.

Passed My CISA

got word I passed my CISA.

ph33r me!

I'll pass on the certification hating, see my posts on CEH != competent pentester and CISSP != competent pentester...pretty much the same feelings on this one.

*edit
looks like I had already done a CISA post...so i'll still spare you the hatin'

For The Love Of God -- CISA != Pentester Either

I wasnt going to post about my CISA exam, but Dre's post on the CISSP got me motivated to do it even though its not really related.

Why CISA you ask? We'll they made me.

I'm not going to bitch and moan about the test (much). I took a whopping one question on the OSI model, alot of IT governance, and several on a dumbed down version of how PKI works. Dumbed down so much and with terms that made no sense that I had to sit there for a minute trying to figure out what they heck they were asking and I KNOW how PKI works. It was also poorly written, which I found surprising given the cert being around as long as it has. For the life of me I'll never understand why asking me a simple question in some obscure way makes me prove I know the material better. I understand that with math that might be the case but not with IT. Overall I felt it was very low tech, yet the CISA certification is now required for anyone doing CNA.

Work did send us to a 1 week bootcamp on the CISA, where my favorite quote of the class was "CISA, A technical certification for accountants"...yea! After a week of talking about it I would sum it up to say that the Auditor goes back and checks to see if the CISSP did his/her job properly and if their processes are meeting whatever requirements are required for that particular business.

Anyway, nothing in the course, books, or test helped me get or be better at the real duties of my job, I guess we could argue management and professional development but when you are talking a level 3 certification I want experience that helps me do my real job better not something that makes people that stopped being good at technical stuff long ago feel better about themselves.

Now let me cut the 8570 folks some slack, CNA is huge and pentesting is a small part of it. I can see that if you do IA inspections, blue teaming, or that kind of go through your checklists run a gazillion scanners vulnerability assessment stuff, the CISA is at least in your domain. Would having the CISA certification help them do their job better or prove that someone could do that job? I don't think so but its in their domain.

On a positive note, I was asked to think about a certification for pentesters for DoD for yet another update in the distant future. I personally don't have any experience with any (meaning I haven't taken the training or the test) that I would recommend. I think CEH & LPT is out, just ask an LPT and they'll tell you why. I will be looking in to the SANS GPEN or possibly the CEPT Link1 & Link2.

If anyone has any suggestions for certs to look into please post up. The "you don't need a certification" debate we can keep on another thread, we wont get be getting away from the need for certification in this case.

Updated DoD 8570.1M (draft) -- CISA/GSNA required for pentesters

If you do any IA work for the US government its probably worth taking a look at this draft to see what's coming down the pipe.

www.dtic.mil/whs/directives/corres/pdf/857001m.pdf

of interest to me is the new requirement to get the CISA or GSNA if you do any sort of "Auditing" to include pentesting.

"C11.6.1. CND-AU personnel perform assessments of systems and networks within the NE or
enclave and identify where those systems/networks deviate from acceptable configurations,
enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance
audits) and active evaluations (penetration tests and/or vulnerability assessments)."

Not to get back into the whole Not a CISSP thread or CEH != pentester debate but I'd like to hear other people's opinion on the validity of basically requiring the CISSP and now CISA if you do pentesting for DoD. I have no experience with the SANS GSNA material, so I have no comments.

I'm studying for the CISA now and there is very little if anything that applies to pentesting. Painful is the only word I can think of right now to describe it. But I'm taking my own advice by sucking it up, learning the material, taking the test, and going back to doing what I was doing.

In case anyone is still in the dark, auditing != pentesting.

podcast comments

Caught a couple more podcasts.

Old one from sploitcast from shmoocon. Most interesting part was the SCADA stuff. After seeing Jason Larson's talk on SCADA Security at BH D.C. it seems that even though the impact of SCADA can be pretty high, you aren't going to get into a SCADA system and start issuing arbitrary commands. There is a pretty big element of needing to know what protocols the system is speaking and figuring out what it can do. I'm oversimplifying, but its not like taking out the gas company is as easy popping it with dcom and hitting the blow up button (or issuing the blowup command on the commandline).

*edit* someone emailed me and said it was pretty much that easy as far as getting into those types of systems because they cant be patches. making them do bad things is a bit harder.


Of other interest was the talk about ZigBee (wikipedia definition).

ZigBee just may be the next new thing to break and to claim that the sky is falling about. The whole public safety wifi, 2nd link, 3rd link, 4th link net is more fun but probably wont win you any friends in LE. I can't find the link but I did read somewhere that encryption was optional in the standard...whoo hooo.

Network Security Podcast 103, best part was them talking about how Rich, Martin and Paul of pauldotcom got into the security business and the discussion on the CISSP certification. On the same topic, EthicalHacker.net has a really good interview with Ed Skoudis and big topic of the interview is getting into the security business.

Risky Business #61 & 62. I don't have anything to say about 62, but 61 was with HD Moore. I'm a self confessed metasploit fan, so pretty much anything related to that fires me up and HD's "evil EeePC" sounds awesome. Cool little laptops, karma and metasploit, owning people on the plane, too much fun. As soon as I can find someone selling the new Eee PC 900 in "hacker" galaxy black I'm all over that bad boy.

also caught pauldotcom #107. got nothing for you on that one. oops scratch that. Free wifi at starbucks by changing your user agent to "mobile safari" is the bomb.

Lastly, someone asked if I was actually getting anything out of the podcasts and the answer is yes. By the time I get to work I've got my mind right and I'm not totally focused on wishing I had a missile launcher in my car to blow up the asshat driving 55 in the fast lane.

Not a CISSP ?!?!

Chris Eng over at veracode has an interesting post on their blog about immunityinc's "not a cissp" button.

If you've been under a rock, here is the button:


I've got mixed feelings about the button. For one thing, I've seen a couple of CISSPs wearing that button at defcon/shmoocon, i guess they were practicing some SE. But secondly, its easy for people in the top 5% of the security game to say you don't need certifications because they (most importantly) already have that level of experience and name recognition. Dave Aitel doesn't need to take a test and throw some letters after his name to prove to anyone he knows his stuff, he proved himself long ago but i cant imagine he came out of the womb with that much fu, maybe he did I don't know.

For us mere mortals who are just trying to get a paycheck and get some experience alot of places are requiring certifications to be on the contract or get the job or even to get your resume to the hiring manager. For .mil/.gov this is because of 8570. To me, requiring certifications is a step in the right direction. Since no one has come forward with a scalable "hands-on" way to certify people, that paper test (for now) will have to do. At least people are trying to get qualified people in the slots, saying CISSP or some other cert makes you automatically qualified is another matter.

I'll be the first one to agree with Chris that "that like many security certifications, it’s an ineffective measure of a security professional’s practical abilities." See my CEH != Competent Pentester post but the game is the game. If you have to sit for a test to do/get the job then stop bitching and take your test and move on with it. If you want to stand your ground and just bitch and not get the job, enjoy your time on the geek squad.

CEH/CPTS Certification != competent pentester

Dean and I have talked about this more times than i can count and finally a discussion has taken place over on the pentest list about automated pentesting and a pentester's experience. The thread is here: "Penetration Testing Techniques" I wont get into all the issues wrong with whats going in the post. I'm going to harp on experience and certifications

from thread: http://seclists.org/pen-test/2008/Apr/0039.html

"Well, the results are definitely verified through nmap as well.OS is
win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
has assigned us the job to perform the pen test and knows about it.
I do have the CPTS training dvd and am going through that, but it will
take time to digest that horde of information.Also downloading web
goat to get my hands wet with web app testing."

While the thread is initially about CORE IMPACT not finding any vulnerabilities with this particular server, the underlying issue is the lack of experience someone has and them being hired to do a pentest. Its a reoccurring thread on other sites as well; "Hey, I got my CEH, who wants to hire me to be a pentester" :-(

Bottom line, tools are just tools, they help humans get jobs done. They aren't and shouldn't be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught "the shortcut." Oh, and passing a multiple choice test is not a real demonstrable measure of ability.

Let me also add that if one of my employees posted some crap like that, i'd seriously be considering them finding another place to get their experience.

want to learn the right way? check out LearnSecurityOnline's Learning Model. LSO isnt the end all be all of security, but i think the Learning Model and the Core and Advanced Competencies is a solid foundation for any security professional.

Here are the Core & Advanced Competencies:

Four Core Competencies
• Operating Systems
• Networking
• Programming
• IT/IT Security Resources

Advanced Competencies
• Documentation, Policies, Procedures, Disaster Recovery
• Cryptography
• Forensics
• Penetration Testing
• Security Industry Certifications

Value of certifications

There has been alot of discussion about the value of certifications lately. Here are a couple of links:

taosecurity link

EH.net link

securityfocus link

My take on it is that most of these guys like Don Parker and Richard Bejtlich are the exceptions to needing certification rather than the norm. If you are published author or regularly speak at conferences you probably possess a large body of knowledge. So its not unthinkable to think that people of this caliber might question the value or need of certification because they already possess advanced knowledge in those subjects

What I'm slowly learning about computers and security is that once something has been brought into your "knowledge realm" its sometimes hard to remember a time when you didn't know that piece of knowledge or how its possible that other people don't know that. nmap switches and usage can be used as an example or maybe even using tools like nessus or metasploit.

In the back of my mind I remember needing my cheat sheet for nmap switches. Now of course I can tell you all about them from memory and don't need a cheat sheet to use the various switches. The question then comes up of how did I or how can someone else get to that point.

Obviously using those tools while working with LSO helped alot but studying the stuff for my CEH and CPTS exams also helped bring that information into the knowledge realm and thankfully it stuck. Certification definitely helps people learn and can create a roadmap for someone trying to get into an IT niche whether it be routers, firewalls, security or whatever.

Does having cert X mean that person is immediately qualified to work in your organization, of course not, thats why you interview a person to make sure whats on their resume is what is actually in their knowledge realm and they can actually apply that stuff at work.