Tuesday, November 22, 2011

Thanksgiving - Don't Get Your Goose Cooked

Last year, I posted on an event that took place a long time ago in computer security years. It took place on Thanksgiving, 1989 and introduced us to the names Phiber Optik, Acid Phreak and others and brought the name Masters of Deception into the public spotlight.

This Thanksgiving, I want to look at something similar. Think about this... It's the day before Thanksgiving and you are trying to get all of your work tied up, phone calls made and everything else to a point of homeostasis so you can enjoy a nice long weekend. Tomorrow, offices are either closed or have minimal staff. Computer/Data Centers are running on a skeleton crew. It's the perfect time... for a security breach.

Physical Security
Physical security threats abound in the most unlikely of places and with the most unlikely people. Who can be a risk?
  • Cleaning crew
  • Security guards
  • Unescorted visitors (or even escorted visitors that aren't watched too closely)
  • People posing as "authorized" vendors
  • Disgruntled employees that have to work the holiday
  • Passersby who can look in the windows

Look around your office, cube or workspace. What do you see? Are you providing an opportunity for someone who may have a motive to gain inside information on your company? What may seem as innocuous to you could be a treasure trove of information to someone looking to breach your security.

Look at your desk. Is it clear? What's information is on it? Do you have Post-It notes all around or papers laying on top of it that contain delicate information?

Do your cubicle walls have network information pinned to them like addressing schemes, name and phone numbers of people in valuable positions, or network maps?

If not, good; your partially there. Now, let's look deeper...

Can a person get information as to what hardware or software you're running based upon what's lying around such as boxes or books?

Do you leave flash drives lying around your work area?

Do you leave your laptop laying out, unsecured?

OK, all these are problems, so, what can be done?
  • Keep all information filed away neatly in locking file cabinets.
  • Keep your desk drawers and cabinets locked.
  • Keep valuable network information in a binder that can be locked away at night.
  • Secure laptops, CD/DVDs and flash drives in a locked cabinet
Information Security
During the time that server load and personnel are at a minimum, do you have someone watching the shop? During holidays, it's important to keep a vigilant eye on your organization's systems.

Are you monitoring for:
  • Disk usage or latency
  • Network usage or latency
  • Database query traffic
  • Ping sweeps or IP scans

Likewise, when coming back from a holiday break, set time aside to immediately go over system logs, and performance metrics (you are tracking usage, right?) to make sure that everything is where is should be compared to your baselines. (You do have a baseline of your systems, right?)

By taking some necessary precautions, you can avoid coming back to a bunch of headaches after a holiday break.

Happy Thanksgiving!

Thursday, November 17, 2011

Book Review: Metasploit: The Penetration Tester's Guide

I was recently given the opportunity to review a copy of Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni.

This book, which is published by No Starch Press, opens with a hearty recommendation by HD Moore, the creator of the Metasploit Framework, then continues with an introduction to penetration testing and the history of the Metasploit.

The fact that this book thoroughly covers a tool that changes daily is a credit to the authors, who as leaders in their field, strive to provide relevant information and instruction without becoming outdated before the book is purchased.

From the basics and phases of penetration testing and probing a network to building your own modules and creating your own exploits, this book has it all. Granted with such a wide base, it is difficult to really dive deep on so many topics, but this book covers different many scenarios and touches on the major features and functionality, all while showing the ease of using the tool. This is a plus, as it seems that with a tool as robust as Metasploit that it would be very easy to get caught up in the the details of individual settings and features, but luckily this is not the case here.

In addition to all of the topics covered, specific sections such as the ones on Meterpreter, the Social Engineering Toolkit and Fast-Track, help to cement the knowledge of reconnaissance, enumeration and various attack vectors and are very informative.

Lastly, the information contained in the two appendices in the back of the book puts a bow on this nicely wrapped present. Appendix A helps you get a target environment, including MS SQL Server, up and running. For me, this helps ties everything nicely together as it's impossible to understand the Metasploit Framework from a penetration testing perspective without actually having hand-on experience. Appendix B is a listing of the most frequently used commands for Metasploit's interfaces and utilities and serves as a good quick reference.

All in all, Metasploit: The Penetration Tester's Guide is an invaluable resource to get those that are new to this tool up and running while also providing experts with a great resource to turn to when help or ideas are needed. One can pick up this book and quickly gain a firm understanding of penetration testing methodology and thought processes as well as quickly come up to speed on the best security tool currently available.