The Agile Movement
In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.
Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >
Is your information security program ready to go pro?
It is officially the start of my favorite time of the year: football season. College and NFL seasons are kicking off in September, which means the next 20 or so weekends will be filled with football.
So why am I talking about football? In the blog today, I’ll be comparing a common framework, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to my favorite sport, football. Using comparisons when talking about security can be a powerful tool in helping to break down complex topics and make a technical problem easy to understand.
For a little background, below is a brief description of the NIST Cybersecurity Framework, from their website:
Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible,... read more >
Recently, NTT Security discovered a phishing email containing malware. The email had a Microsoft Word document attached with a malicious embedded macro. Macros are an effective infection vector and have been steadily gaining popularity in the last several years. Microsoft Office macros are a series of instructions run together as a single command. Microsoft extended macro capabilities to include Visual Basic for Applications (VBA) run inside of a Microsoft Office application (Access, Word, Outlook, Excel, and Power Point). The takeaway is that macros could be, and probably are, malicious code when coming from an unknown source.The Document
Below in figure 1 is a screen shot of the document we discovered embedded in the email. As you can see, the document is well formatted, and looks very legitimate. It also gives step-by-step instructions, requesting the user to enable content so the... read more >
When “catch them all” isn’t just Pokémon Go’s catch phrase
Let me start off by saying that I have not played a Pokémon game since Pokémon Snap back in ‘99. When I heard there was going to be an augmented reality Pokémon game for mobile, my inner child fanboyed. I made sure to download it as soon as it hit the app store, and had the fever to “catch them all.” I quickly found out, however, that Pokémon were not the only thing people were catching.
The best way to catch a Pokémon is to go out to a public area. The game shows you a virtual map of the area (it’s connected to Google maps, so is a real map). As you explore, Pokémon “spawn,” or show up, on the app for you to catch. The first place that popped into my mind as a good place to catch Pokémon was the park. So I packed up my stuff, got my daughter ready to go, and off we went.
I started to catch Pokémon, and even gave my daughter a few tries. With both of us using the app, we... read more >
#WarStoryWednesday: so many hosts, so little time
Every now and then, while performing a penetration assessment, we’ll get a large set of hosts considered in scope. This is often a nice change of pace from the compliance-based penetration assessment where the scope is smaller and more focused on the Cardholder Data Environment (CDE). With the larger scope, we can come a bit closer to simulating an actual attacker from the perspective of the internal network. I say closer because as security consultants we are still limited by time, often only having a week to perform an assessment. If the scope is big enough, we will typically send two or more consultants. This blog will detail just one of those assessments and will hopefully give insight into effective time management for large scopes that offer more than one method of compromise.Background
Let me set up the scenario a bit. My co-worker Adam Steffes and I were tasked with performing an assessment with... read more >
A while ago someone referred me to this post on reddit labeled, “The boss has malware, again….” It is an entertaining story from a help desk employee at a large corporation who discovered that an e-cigarette belonging to one of their executives had malware hardcoded into the charger. When the charger was plugged into a systems USB port, it would phone home to a server to download malware on the unsuspecting users system. Stories such as this are more common than you may think. In the past, many consumer devices have been discovered to contain embedded malware directly from the manufacturer. There have been many historical incidents of infected digital picture frames, MP3 players and other devices having been unwittingly sold and distributed by big box stores and small retailers alike. Most recently, a large quantity of... read more >
You are only as good as your toolset!
In my last blog I asked the question, “Have you ever tried to chop down a tree with a fork?” and told you about an incident response process that was made difficult by the lack of adequate tools. This is a common problem in the field of incident response and security as a whole, and shouldn’t exist. Unfortunately, however, many system administrators, network administrators and help desk personnel assume they can handle an incident, when in reality it is far more complex than they are aware.
A basic introduction to incident response is beyond the scope of this blog, but I do want to introduce the reader to the “Order of Volatility.” This is a common methodology that is taught across the security spectrum. It provides the responder with the ability to gather evidence from the more volatile to the less. This is extremely important when responding to breaches or malware infections. So, let us review the... read more >