7MS #432: Tales of Internal Network Pentest Pwnage - Part 21

I went to my first ever banking-focused infosec conference a few weeks ago (WBA's Secure-IT) and learned a ton. I met some really great people and had many productive conversations around security. The main takeaways from the conference that I talk about in today's episode: Standing all day and talking about security is exhausting! You can thwart "swag whores" (sorry mom, but I learned that that's what they're called!) by pushing your merch table deep into the booth so it's touching the rear curtain. That way people have to go through your "people perimeter" and engage in conversation with you in order to be granted access to the swag! From the conversations I had with the staff at these small banks, they're definitely wanting to slurp up as much helpful info from the sessions as possible. Specifically, finding ways to better improve security posture using free/cheap tools is ideal! I attended a few sessions that got my blood boiling. The outline of these talks went something like this (slight exaggeration added, but not much): Hackers are way smarter and more physically attractive than you, and they can get by all your defenses with ease You're helpless, hopeless, and not physically attractive Luckily we (Vendor X) are here and we offer our patented Super Solution Y that will thwart the APTs 100% of the time, no question, guaranteed People don't appreciate being talked down to, nor do they want to be shamed, blamed or scared into making security better. More on today's episode...

11 Loka 201715min

I'm excited to announce I'm going to be a PacktPub author! I'm going to work with them to create a course on network/vulnerability scanning. I'm pumped, but kinda nervous, so when I had the initial conversations with PacktPub staff, I made sure I hit them with my burning questions: Q: Are you going to ask me to create a sweet course and then pay me pennies for every digital copy sold? A: No. Authors get paid a lump sum up front and then share in profits for digital copies sold. Q: Who's gonna dictate the project outline - as well as timeline for recording it? A: It's a joint effort. The author dreams up the timeline, fine-tunes it with PacktPub, and then hammers out a mutually agreeable project timeline. Q: Do I have to buy some expensive software/hardware to make these videos? A: Not really. PacktPub did recommend I buy a better microphone (so I got a Snowball), and then they license authors a copy of Panopto to record the videos. More Qs and As covered on today's episode!

5 Loka 201711min

Intro The patching solutions review concludes this week with Ivanti's patch solution, as well as PDQ Deploy/Inventory. As a quick reminder, here's where our bake-off currently sits: Ninite (covered in 7MS #275) ManageEngine (covered in 7MS #277) Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day. Ivanti You might know Ivanti as Shavlik - that's the product name I'm more familiar with anyways. Back in February, Shavlik became Ivanti. Pros Pretty easy to install and manage - even without a deep background in IT (in today's episode I tell a story that can back this claim based on my experience) Does a solid job of applying patching Windows OS and third party Cons Pricing is a little steep - last figures I saw were ~$80 per server, per year and ~$40 per workstation, per year. ITScripts library (that allows for GPO-style policy enforcement) is a little slim when compared to similar functionality offered from other solutions PDQ Deploy/Inventory Pros Lets you crazy with building custom packages you can deploy to granular groups Awesome online help resources, including a YouTube video library that's got a video for just about everything Quick response to support tickets Cons A bit more complicated to get comfortable with than the other solutions A little confusing on the Windows patching side - not quite as "point and patch" as some of the other solutions Agentless system - machines have to be able to "see" the PDQ

28 Syys 201715min

Intro We're breaking ground with this episode, folks! For the first time in 7MS history, we've got a guest on the show (finally, right?!). Rob Sell is an IT manager who has been working in IT for many years, with a focus on information security specifically for the last 4 years. He recently came home from Defcon 25 with a third place in the SE CTF. Rob sat down with me to discuss the CTF, how to make an outstanding CTF audition video, OSINT tools/tips/techniques, the value of tech/security certifications, career advice, and more! Interview notes and links Here's Rob's Defcon CTF audition video EchoSec helps you see a geographical area at a certain point in time. According to the Web site, EchoSec is "the most comprehensive social sentiment tool on the market" - hmmmm, seems like a great SE tool! X-Ray is "a tool for recon, mapping and OSINT gathering from public networks." Michael Bazzell's Web site has online training, free tools and other goodies. Michael also has some books. Christopher Hadnagy has a podcast that's strictly focused on SE. He's also got some books. ArcGIS isn't necessarily labeled as an SE tool, but can certainly be used for SE efforts.

21 Syys 201756min

ManageEngine Desktop Central Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate. Pros Agent or agentless management of systems MDM (didn't play with it but it certainly looks feature-rich) Application white/blacklisting Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc. Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc. Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically! Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!" Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc. Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on... Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment. ...more on today's episode!

14 Syys 201713min

This is it! The worldwide Internet debut of an original infosec-themed song called CryptoLocker'd, and as the name implies, it's about a CryptoLocker incident. Here's the quick back story: A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it. Today's episode has the audio, and I welcome you to follow along with the lyrics below (head to 7ms.us to see the full lyrics as they are included in a GitHub gist)

6 Syys 201712min

This episode continues our series on comparing popular patching solutions, such as: Ninite ManageEngine Ivanti PDQ Ninite This week I focused on Ninite, and here's the TLDR version: Pros Does one thing (third party patching) and does it really well Extremely affordable User interface is clean, simple and really easy to use/learn Cons No "agentless" option - it's an agent or nothin' I'm not sure if Ninite has the brand name recognition and reputation to be accepted/respected by large companies I need to do more homework on how they pull down their packages...are they ripping apart packages and repackaging them at all? That could be a big avenue for side-loading icky stuff.

30 Elo 201711min

I'm back from Vegas! My talk went really well and I'm excited to tell you about it in today's episode. First, some conference/trip highlights: During the ILTACON conference I attended a great talk by Don McMillan about how to infuse humor into your work environment. Really enlightening, and you know those things you hear about how humor lowers blood pressure, increases satisfaction and just overall makes you a more pleasant person to be around? Turns out it's true! On the day before my presentation I got my first experience touring around the Vegas strip, and the people watching did not disappoint. I also saw the Muhammad Ali and Van Gogh exhibits, which were awesome. When it came to the actual talk, everything went really well. The audio/visual stuff all worked perfect, and I felt the content delivery went over well too. People asked a lot of questions and even hung out afterwards to discuss security topics further. There were two big surprises I wasn't expecting, though: A podcast listener was at the conference, and shared with me that after listening to lots of 7MS episodes, he always figured I looked like Jared from Subway. :-( There were super talented artists from a company called Filament did a comic-book style retelling of my talk live as I was doing it. I love crazy-talented people like this, so I was totally geeking out. I reposted the renderings (with their permission) at my personal portfolio site if you wanna check 'em out.

23 Elo 201715min